Think you have a false positive on this rule?

Sid 1-47155


SERVER-WEBAPP PHP unserialize integer overflow attempt


This event is generated when an attacker attempts to overflow an integer using an unserialize function in PHP.


Attempted Administrator Privilege Gain


CVSS base score 9.8

CVSS impact score 5.9

CVSS exploitability score 3.9

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

The rule looks for a payload containing an exploit to trigger the overflow and gain admin control over the victim system. CVE-2017-5340: Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data.

Affected systems

  • php php 7.0.0
  • php php 7.0.1
  • php php 7.0.2
  • php php 7.0.3
  • php php 7.0.4
  • php php 7.0.5
  • php php 7.0.6
  • php php 7.0.7
  • php php 7.0.8
  • php php 7.0.9
  • php php 7.0.10
  • php php 7.0.11
  • php php 7.0.12
  • php php 7.0.13
  • php php 7.0.14

Ease of attack


Access Vector

Access Complexity


False positives

False negatives

Corrective action


  • Cisco's Talos Intelligence Group

Additional References