The United States and Asia were hit by hurricanes. It looks that the similar situation is happen in cyber world. MS-ISAC Releases Advisory on PHP Vulnerabilities urge technology world to staying alert. For more details, please refer below hyperlink:
Hacker exploit the PHP design weakenss (Arbitrary Code Execution or RCE) for attack must fulfill below conditions.
- The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks.
- Pass untrusted user input to unserialize() regardless of the options value of allowed_classes. Unserialization can result in code being loaded and executed due to object instantiation and autoloading.
- The data passed to unserialized comes from a file, so a file with serialized data must be present on the server.