That is what you get when websites are treated as cash-cows by hosters and security is not a first priority: For that apache server version exploit: https://hackerone.com/reports/66929
Due for instance to insecure handling of the HTTP headers, and with PHP.cgi for that version you are food for the birds
through remote code execution.