ID:227 - Exploit for Deserialization of Untrusted Data in PHP - CVE-2016-7124

CSH
CYBERSECURITY HELP
Sign In REGISTER
 
Main Vulnerability Database Exploits ID:227 - Exploit for Deserialization of Untrusted Data in PHP - CVE-2016-7124

ID:227 - Exploit for Deserialization of Untrusted Data in PHP - CVE-2016-7124

Published: March 18, 2020


Vulnerability identifier: #VU16138
Vulnerability risk: Medium
CVE-ID: CVE-2016-7124
CWE-ID: CWE-502
Exploitation vector: Remote access
Vulnerable software:
PHP

Link to public exploit:


Vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing certain objects in "ext/standard/var_unserializer.c" PHP extension. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system via "__destruct" or "magic" method calls.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install updates from vendor's website.