In response to CiviCRM's advisory on April 18/04/2013
If your site is hosted by Circle Interactive, we have removed the offending file from all sites, so no emergency upgrades are needed.
The vulnerability only arises if directories under the web server root are:
- writable by the web server process, and
- the web server is configured to allow executing files in these writable directories.
These conditions do not apply on our servers: only directories that need to be writable by the web server process are so writable, and the web server is configured not to allow executing files in these writable directories.
We have carried out audits of our servers and concluded that the vulnerability was not successfully exploited.