CVE-2015-6835

CRITICAL

Joomla HTTP Header Unauthenticated Remote Code Execution

Title source: metasploit

Description

The session deserializer in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 mishandles multiple php_var_unserialize calls, which allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted session content.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Taoguang Chen · textdosphp

https://www.exploit-db.com/exploits/38123

View Code ZIP pw:eip

nomisec WORKING POC 3 stars

by ockeghem · poc

https://github.com/ockeghem/CVE-2015-6835-checker

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Marc-Alexandre Montpas, Christian Mehlmauer · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/joomla_http_header_rce.rb

View Code ZIP pw:eip

References (6)

[Various Sources] https://bugs.php.net/bug.php?id=70219

[Various Sources] http://php.net/ChangeLog-5.php

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1033548

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/76734

[Third Party Advisory] http://www.debian.org/security/2015/dsa-3358

[Third Party Advisory] https://security.gentoo.org/glsa/201606-10

Scores

CVSS v3 9.8

EPSS 0.2130

EPSS Percentile 95.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (30)

php/php 5.6.0 alpha1 (9 CPE variants)

php/php 5.6.1

php/php 5.6.2

php/php 5.6.3

php/php 5.6.4

php/php 5.6.5

php/php 5.6.6

php/php 5.6.7

php/php 5.6.8

php/php 5.6.9

... and 20 more

Published May 16, 2016

Tracked Since Feb 18, 2026