PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows
local users to modify behavior of other sites hosted on the same web
server by modifying the mbstring.func_overload setting within
.htaccess, which causes this setting to be applied to other virtual
hosts on the same server.
We also have that code in php-5.2.8-r2 /ext/mbstring/mbstring.c, but on line 1067.
rbu, why did you set whiteboard to "B3 [glsa?]" ?!
From my understanding, this might lead to data disclosure or denial of service, but does not allow for inejection of code into other contexts of apache. Maybe I am mistaken there?
Seems to be fixed in recent PHP versions.
Thank you everyone, sorry about the delay.