PHP7 Zero Day Exploits Found


The Hacker News reported Zero Day exploits found in PHP7.

The critical vulnerabilities reside in the unserialized mechanism in PHP 7 – the same mechanism that was found to be vulnerable in PHP 5 as well, allowing hackers to compromise Drupal, Joomla, Magento, vBulletin and PornHub websites and other web servers in the past years by sending maliciously crafted data in client cookies.[1]

unserialize is a dangerous function. It has been proven over and over in the last years, yet it is still used in the wild. [2]

Resources:

  1. 3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!
  2. Exploiting PHP-7 unserialize (pdf)
  3. unserialize
  4. CHECK POINT DISCLOSES 3 PHP 0-DAYS (pdf)
  5. Exploiting PHP7 unserialize (slides)