The PHP session extension comes with a serialization handler called 'php_binary' that is vulnerable to a heap information leak vulnerability. This security hole is the result of a missing boundary check and allows leaking up to 126 bytes following the serialized data into array keys of the session. This can lead to the disclosure of sensitive information stored on the heap, like offsets (useful for further attacks), heap canaries, etc. The php_binary session dataformat contains of one entry per serialized variable. Every entry starts with a one byte size field that contains the length of the variable name, followed by the name itself and the serialized data. Unfortunately the extraction of the variable name happens without a boundary check and therefore an oversized length value will result in the name being read from outside the buffer. This leads to an up to 126 byte heap information leak. Proof of concept, exploit or instructions to reproduce The attached proof of concept exploit will leak the maximum of 126 bytes of heap data into PHP variables and produce a hexdump. Heapdump --------- 00000000: 00 00 00 00 87 fe 60 e8 35 00 00 00 39 00 00 00 ......`.5...9... 00000010: 00 00 00 00 41 41 41 41 41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA 00000020: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000030: 41 41 41 41 00 00 00 00 4b fe 60 e8 55 00 00 00 AAAA....K.`.U... 00000040: 35 00 00 00 89 68 25 50 25 00 00 00 a8 fd 91 b7 5....h%P%....... 00000050: a8 f2 91 b7 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 41 41 41 41 41 41 41 41 41 41 41 41 ....AAAAAAAAAAAA 00000070: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 .. AAAAAAAAAAAAAAA. Notes This is one of the many vulnerabilities of the MOPB that were previously disclosed by us to the vendor and is therefore fixed in their latest updates. We therefore recommend updating PHP atleast PHP 4.4.5 or PHP 5.2.1 to fix this issue. SecurityReason Note : Exploit - http://securityreason.com/exploitalert/2056