PHP "Unserialize ()" Security Vulnerability

PHP "Unserialize ()" Security Vulnerability

Release date:
Updated on:

Affected Systems:
PHP <5.4.36
Description:
CVE (CAN) ID: CVE-2014-8142

PHP is a widely used scripting language. It is especially suitable for Web development and can be embedded into HTML.

In PHP versions earlier than 5.4.36, the "process_nested_data ()" function has the vulnerability of re-exploitation after release. Attackers pass constructed input to the "unserialize ()" function, this vulnerability can damage the memory. The "var_push_dtor ()" function has a null pointer indirect reference vulnerability in implementation. Attackers pass constructed input to the "unserialize ()" function, this vulnerability can cause a crash. Successful exploitation of these vulnerabilities can cause arbitrary code execution.

<* Source: Stefan Esser

Link: http://secunia.com/advisories/61236/
*>

Suggestion:
Vendor patch:

PHP
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

PHP:
Http://php.net/ChangeLog-5.php#5.4.36
Https://bugs.php.net/bug.php? Id = 68594

Charlie Eriksen:
Https://bugs.php.net/bug.php? Id = 68545

Install LNMP in CentOS 6.3 (PHP 5.4, MyySQL5.6)

Nginx startup failure occurs during LNMP deployment.

Ubuntu install Nginx php5-fpm MySQL (LNMP environment setup)

Detailed php hd scanning PDF + CD source code + full set of teaching videos

PHP details: click here
PHP: click here

This article permanently updates the link address: