CVE-2007-1649

Name of the Vulnerable Software and Affected Versions: PHP version 5.2.1

Description: The issue allows context-dependent attackers to read portions of heap memory by executing certain scripts with a serialized data input string beginning with S:. This is due to an error in the unserialize() function, which does not properly track the number of input bytes being processed. Additionally, an off-by-one error exists in the str replace() function, which can be exploited by malicious local users to disclose potentially sensitive information.

Recommendations: For PHP version 5.2.1, consider disabling the unserialize() function until a patch is available to prevent exploitation. Restrict access to sensitive information and avoid using the str replace() function with untrusted input to minimize the risk of disclosure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.