You are here
Home > Vulnerability > Expert spotted 3 critical vulnerabilities 0-Day in PHP7 – One remain unpached

Expert spotted 3 critical vulnerabilities 0-Day in PHP7 – One remain unpached


Security researchers at the firm CheckPoint have discovered three fresh critical 0-day vulnerabilities in last PHP 7 that could allow an attacker to take complete control over 80 percent of websites which run on the latest version of the popular web programming language. The bad news is that one of the vulnerabilities remains unpatched again.

Security researchers at Check Point’s have analyzed in the last months PHP 7 and focused their efforts into “the unserialized mechanism” which is one of the most well-known vulnerable areas of PHP.

This is the same mechanism that was strongly exploited in PHP 5 and allowed attackers to compromise popular platforms, including Magento, vBulletin, Drupal, Joomla!, Pornhub’s website and other affected web servers in past, by sending maliciously crafted data in client cookies or to expose API calls.

The 0-Day in PHP7 vulnerabilities are :

  • CVE-2016-7479—Use-After-Free Code Execution
  • CVE-2016-7480—Use of Uninitialized Value Code Execution
  • CVE-2016-7478—Remote Denial of Service
  • The first two vulnerabilities, if exploited, would allow an attacker to take complete control over affected servers, this means that it is possible to exploit them to spread malware as well as to steal data they store.

    The third vulnerability triggers a remote Denial of Service (DoS) attack which basically hangs the website, exhausts its memory consumption, and a possible site down, researchers explain in their report.


    The third vulnerability allows a remote attacker to unserialize a pathological exception object which refers to itself as the previous exception. states the report. “When invoking the __toString method of this exception, the code iterates over the chain of exceptions. As the chain of exceptions consists of just that one object that points to itself, the iteration never terminates.

    From this code, the infinite loop is obvious:

    CVE-2016-7478—REMOTE-DENIAL-OF-SERVICE 0-day


    The second vulnerability is a little more complicated, and requires some preconditions. However, it allows a remote attacker to fully control the vulnerable process.
    The root cause of this vulnerability is that the un-serialized properties of an object are stored in the properties hash table of this object. Every un-serialized value has a reference in the var_hash struct to support the reference feature of the serialization format.


    The third vulnerability is a classic use-of-uninitialized-value from the stack found in the custom unserialize function of the SplObjectStorage object.

    Let’s see the vulnerable code:


    What to Do ?

    The check Point researchers reported all the three zero-day vulnerabilities to the PHP security team on September 15 and August 6.Patches for two of the three flaws were issued by the PHP security team on 13th October and 1st December, but one of them remains unpatched.

    In order to ensure the webserver’s security, users are strongly recommended to upgrade their servers to the latest version of PHP and always visit on PHP’s official site for news and updates.

    Jay Prakash Kumar
    If you have come this far, it means that you liked what you are reading. Why not reach little more and connect with me directly on Facebook or Twitter. Jay Prakash is a founder of Professional Hacker, Technical Writer, Software Developer, Security Analyst and Technology Enthusiast with a keen eye on the Cyber-world and other technology-related developments.