SynopsisThe remote web server uses a version of PHP that is affected by a remote code execution vulnerability.
DescriptionAccording to its banner, the version of PHP 5.4.x installed on the remote host is prior to 5.4.36. It is, therefore, affected by a use-after-free error in the 'process_nested_data' function within 'ext/standard/var_unserializer.re' due to improper handling of duplicate keys within the serialized properties of an object. A remote attacker, using a specially crafted call to the 'unserialize' method, can exploit this flaw to execute arbitrary code on the system.
Note that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.
SolutionUpgrade to PHP version 5.4.36 or later.