The forbidden_upload variable is checked in a case-sensitive manner, which means that capitalized extensions are not blocked using the default settings.
The safest setting is to turn off resource uploads until 1.2.7 can be verified and released.
Next safest is to configure upload_allowed_files to the list of files you want to allow. This setting is also case-sensitive, so you might want to use:
*.jpg *.JPG *.png *.PNG *.gif *.GIF *.bmp *.BMP
Next safest is to configure your upload_forbidden_files with all versions of capitalized extensions. Note, that this method is kind of hard, since you would need to check *.pHp *.pHP etc.
I have not tested this exploit on many systems, so it is possible that your server is not affected by this (say, if test.PHP doesn't actually execute, but simply shows the contents of the file). If your server allows capitalized PHP files to run, you should check your apache logs to see if a hacker uploaded a file into your gallery. Note, that it isn't enough to only check your filesystem for the presence of these files, since the script might have been moved later.