A number of security researchers have provided a way to craft HTTP requests which take down a PHP-based web server completely. The idea is that essentially a specially constructed set of POST variables can completely put any web server into a never-ending CPU spin.
The newest version of PHP, PHP 5.3.9, has a patch for this, but we were already using a security filter called "suhosin" which limited POST (etc) variables nicely.
Just in case, we've reduced the limit on number of HTTP POST variables to 512, which should be many more than most applications use. Please let us know if this affects you.
If you're interested in very lengthy details, here's a post explaining the attack:
It turns out that this is not a new problem; it was discussed back in 2003-2004 and implemented in many other languages, although apparently PHP was left out at that time.