Korean
<< Back
VID 22657
Severity 40
Port 80, ...
Protocol TCP
Class CGI
Detailed Description According to its banner, PHP 5.5.20 is installed on the remote host. It is, therefore, affected by a use-after-free error in the 'process_nested_data' function within 'ext/standard/var_unserializer.re' due to improper handling of duplicate keys within the serialized properties of an object. A remote attacker, using a specially crafted call to the 'unserialize' method, can exploit this flaw to execute arbitrary code on the system.

* Note: This check solely relied on the version number of the remote PHP to assess this vulnerability, so this might be a false positive.

* References:
http://php.net/ChangeLog-5.php#5.5.20
https://bugs.php.net/bug.php?id=68594

* Platforms Affected:
PHP Prior to 5.5.20
Any operating system Any version
Recommendation Upgrade to the latest version of PHP (5.5.20 or later), available from the Mozilla Web site at http://www.php.net/downloads.php
Related URL CVE-2014-8142 (CVE)
Related URL 71791 (SecurityFocus)
Related URL (ISS)