It is a hurricane, but it happen in cyber world – Multiple vulnerabilities in PHP (Sep 2018)

The United States and Asia were hit by hurricanes. It looks that the similar situation is happen in cyber world. MS-ISAC Releases Advisory on PHP Vulnerabilities urge technology world to staying alert. For more details, please refer below hyperlink:

Hacker exploit the PHP design weakenss (Arbitrary Code Execution or RCE) for attack must fulfill below conditions.

  1. The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks.
  2. Pass untrusted user input to unserialize() regardless of the options value of allowed_classes. Unserialization can result in code being loaded and executed due to object instantiation and autoloading.
  3. The data passed to unserialized comes from a file, so a file with serialized data must be present on the server.