The unserialize function in PHP 5.3.0 and earlier allows context-dependent attackers to cause a denial of service (resource consumption) via a deeply nested serialized variable, as demonstrated by a string beginning with a:1: followed by many {a:1: sequences.
Vector
NETWORK
Complexity
LOW
Authentication
NONE
Confidentiality
NONE
Integrity
NONE
Availability
PARTIAL
Php Php 5.2.4 Windows (not an official CPE)
PHP 5.2.4
PHP 5.2.3
PHP 5.2.2
PHP 5.2.1
PHP 5.2.0
PHP PHP 5.1.6
PHP PHP 5.1.5
PHP 5.1.4
PHP PHP 5.1.3
PHP PHP 5.1.2
PHP PHP 5.1.1
PHP PHP 5.1.0
PHP PHP 5.0.5
PHP PHP 5.0.4
PHP PHP 5.0.3
PHP PHP 5.0.2
PHP PHP 5.0.1
PHP PHP 5.0.0 RC3
PHP PHP 5.0.0 RC2
PHP PHP 5.0.0 RC1
PHP PHP 5.0.0 Beta4
PHP PHP 5.0.0 Beta3
PHP PHP 5.0.0 Beta2
PHP PHP 5.0.0 Beta1
PHP PHP 5.0.0
Php Php 5.0 Rc3 (not an official CPE)
Php Php 5.0 Rc2 (not an official CPE)
Php Php 5.0 Rc1 (not an official CPE)
Php Php 5 (not an official CPE)
PHP 5.2.5
PHP 5.2.6
PHP 5.2.7
PHP 5.2.8
PHP 5.2.9
PHP 5.2.10
PHP 5.2.11
PHP 5.3.0
| Advisory | Patch | Confirmed | Link |
|---|---|---|---|
| http://www.suspekt.org/downloads/POC2009-ShockingNewsInP... | |||
| http://www.suspekt.org/2009/11/28/shocking-news-in-php-e... |