SynopsisPHP 5.6.x < 5.6.4 process_nested_data() RCE
DescriptionAccording to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.4. It is, therefore, affected by a use-after-free error in the 'process_nested_data' function within 'ext/standard/var_unserializer.re' due to improper handling of duplicate keys within the serialized properties of an object. A remote attacker, using a specially crafted call to the 'unserialize' method, can exploit this flaw to execute arbitrary code on the system.
Note that the scanner has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.
SolutionUpgrade to PHP version 5.6.4 or later.