According to the vendor, exploitation on the IA32 platform does not allow the execution of arbitrary code. The IA32 platform is still susceptible to a denial of service on PHP and the web server. Other platforms are susceptible to arbitrary code execution, but the code is only executed with the privileges of the web server, which limits what actions an attacker can perform. Web server privileges typically correspond to the user nobody and would not allow the attacker to gain root-level access to the system.
One way to exploit this vulnerability is to modify the contents of the hosted material in a manner that will drastically alter its original meaning. The impact of this attack would depend on the content
of the hosted site. For example, if the server is hosting financial data, not only could an attacker steal this information, but could also modify it in a manner that would cause legitimate users to act on it.
An attacker could also exploit the vulnerability to place malicious code inside trusted content. An attacker could embed cross-site scripting code that steals sensitive information from users or it could redirect visitors to inappropriate sites. If such an attack were executed on a trusted public site, it could adversely affect the site's reputation.