cbcvebase.
CVE-2015-6835
published 2016-05-16

CVE-2015-6835: The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote…

PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.99%
98.3th percentile
The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.

Affected

45 ranges· showing 25
VendorProductVersion rangeFixed in
appleos_x_el_capitan_10.11.1_security_update_2015-004_yosemite_and_security_update_20
phpphp<= 5.4.44
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://git.php.net/?p=php-src.git;a=commitdiff;h=df4bf28f9f104ca3ef78ed94b497859f15b004e5
commandR:
commandr:
  • The vulnerability is triggered when the PHP session deserializer (php, php_binary, or php_serialize handlers) calls php_var_unserialize() multiple times on crafted session content. Monitor for use of R: or r: reference tokens in serialized session data pointing to already-freed ZVALs.
  • Multiple use-after-free vulnerabilities exist in all three session deserializer modes: php, php_binary, and php_serialize. Detection should cover all three session.serialize_handler values.
  • Successful exploitation allows an attacker to control memory and create a fake ZVAL, observable in PHP output as unexpected integer values (e.g., 1122334455) in deserialized arrays.
  • ·Affected PHP versions are 5.4 before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13. Red Hat Enterprise Linux 6 and 7 packages and several Red Hat Software Collections were marked 'Will not fix' due to the behavior being documented as unsafe (passing untrusted input to unserialize()).
  • ·The vulnerability requires untrusted input to reach the session deserializer. PHP documentation explicitly warns against passing untrusted user input to unserialize(); using JSON (json_decode/json_encode) is the recommended safe alternative.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.