PHP 7 Suffers from 3 Critical Zero-days

Security researcher have found a three critical zero-day vulnerability on latest PHP 7, which allows and attacker to take full control over the website using of PHP 7.

Security Researcher of Check point's exploit research team have found these critical zero-days, that reside in the unserialized mechanism in PHP 7.

The critical vulnerabilities reside in the unserialized mechanism in PHP 7 – the same mechanism that was found to be vulnerable in PHP 5 as well, allowing hackers to compromise Drupal, Joomla, Magento, vBulletin and PornHub websites and other web servers in the past years by sending maliciously crafted data in client cookies.

These zero-day Vulnerabilities dubbed as CVE-2016-7479 (Use after free code Execution) , CVE-2016-7480 (Use of Uninitialized value code execution), and CVE-2016-7478 (Remote Denial of Service). Among these, first two Vulnerabilities gives full control to attacker over the targeted server after successful exploitation, where as third one if exploited cause Denial of Service (DoS) attack.

All these three zero-days Vulnerabilities had been reported to PHP security team by researcher, but only two of them have been patched and one zero-day is still alive (yet to patch).

Patch of two Vulnerabilities have been released, so it is strongly recommended to all server admin to upgrade your PHP version to latest one.