PHP 5.4.x < 5.4.36 / 5.5.x < 5.5.20 / 5.6.x < 5.6.4 Use-After-Free
High Nessus Network Monitor Plugin ID 8608
SynopsisThe remote web server uses an outdated version of PHP, leaving it vulnerable to several issues.
DescriptionPHP versions earlier than 5.6.4, 5.5.20, and 5.4.36 are exposed to a use-after-free vulnerability in the 'process_nested_data' function in 'ext/standard/var_unserializer.re'. This allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object. (Bug 68594)
SolutionApply the vendor's patch, or upgrade to the latest version. These issues have been fixed in versions 5.6.4, 5.5.20, and 5.4.36.