I do not see a lot of good information on this issue. The upstream bug (http://bugs.php.net/bug.php?id=49687) indicates that errors in decoding UTF-8 can enable XSS and SQL injection. The upstream revision at $URL states: - Fixed bug #49687 (utf8_decode vulnerabilities and deficiencies in the number of reported malformed sequences). The SuSE folks have found that 5.2 is vulnerable as well: http://www.openwall.com/lists/oss-security/2010/11/03/1
Here is the commit to PHP 5.2. http://svn.php.net/viewvc?view=revision&revision=305055
*** This bug has been marked as a duplicate of bug 340807 ***