A quick and dirty fix for PHP Code Insertion vulnerability on WordPress, a diff for wp-includes/functions.php
< $lastpostdate = $cache_lastpostdate[$timezone];
> $lastpostdate = preg_replace('/[^0-9 :\-]/','',$cache_lastpostdate[$timezone]);
The sites with register_globals=off is not affected by the vulnerability. So I strongly recommend to disable register_globals, rather than applying the patch above. Those with register_globals=on shall be cracked via another security holes anyway.
Boring In The Chair seems to refer this issue, however I cannot read Spanish. Sorry.
WordPress Support says an official patch will be out soon.
WordPress 1.5.2 is now out, with a bunch of security fix including the $cache_lastpostdate problem. So upgrade your WordPress as soon as possible!