PHP 5

Tenable plugin 95874 flags PHP 5.6.x < 5.6.29 by banner and anchors on CVE-2016-9935, an out-of-bounds read / memory-corruption bug in PHP's ext/wddx parser when it handles an empty boolean element in a wddxPacket XML document. The same release also fixed an openssl_pbkdf2() crash bug (bug #72776, tied to CVE-2016-7132). Upstream fixed these in PHP 5.6.29 on 2016-12-08.

The vendor-style severity is inflated for most estates because the scary 9.8 score assumes the attacker can directly hit a vulnerable parsing path, but in reality they usually need a reachable application endpoint that feeds attacker-controlled XML into the deprecated WDDX extension. That extension was later deprecated and unbundled, which tells you how niche it became. So yes, old internet-facing PHP deserves attention, but this specific plugin is not a universal drop-everything critical unless you confirm real WDDX exposure.

Why this verdict

• Start from 9.8, then cut for the sink requirement: vendor scoring assumes direct unauthenticated remote reachability to the vulnerable parser, but the real exploit needs attacker-controlled input to hit wddx_deserialize() or equivalent WDDX handling.
• Deprecated feature, narrow population: WDDX was later deprecated and unbundled, which is strong evidence this is a legacy niche, not a core PHP path most modern apps exercise.
• No strong exploitation pressure: no KEV entry, no strong modern campaign evidence, and only moderate EPSS means this is not behaving like a must-stop-everything edge-RCE despite the memory-corruption label.

Why not higher?

This is not higher because most estates with old PHP still will not expose a reachable WDDX parser sink to unauthenticated users. Also, public evidence leans much more toward crashability than toward a clean, repeatable, widely used RCE chain for this exact bug.

Why not lower?

This is not lower because the attacker needs no auth and no user interaction once the vulnerable parser path exists. Also, any externally reachable PHP 5.6 server is legacy debt with poor safety margin, so a pure backlog-only rating would understate operational risk.

1. Disable or remove WDDX where unused — If the application does not require ext/wddx, remove it from the active PHP SAPI or disable the code path using wddx_deserialize(). For a MEDIUM finding there is no formal mitigation SLA, but this is the highest-value temporary control because it removes the decisive exploit sink while you work toward remediation within the 365-day remediation window.
2. Constrain internet reachability to legacy PHP pools — Put legacy PHP 5.6 apps behind tighter reverse-proxy ACLs, VPN-only access, or origin restrictions if they do not need broad public reach. There is no noisgate mitigation deadline for MEDIUM, but use this as a same-change-window hardening step for externally reachable systems while planning the actual upgrade inside the 365-day remediation window.
3. Verify package backports before declaring exposure — For distro-managed hosts, confirm package fix level with credentialed checks instead of trusting a remote banner alone. This avoids burning patch bandwidth on false positives while still meeting the MEDIUM remediation expectation.
4. Search code for wddx_deserialize and adjacent XML handlers — A quick code and config sweep tells you whether the scary CVSS path is real in your estate. Prioritize apps that are internet-facing and actually deserialize untrusted XML, then drive those first through the remediation window.

Run this on the target host that actually executes PHP, not on your scanner. Invoke it as bash check_php_95874.sh /usr/bin/php (or point it at the exact php binary used by the affected pool/container); no root is required for a basic version/module check, but you may need shell access inside the container or VM.

#!/usr/bin/env bash
# check_php_95874.sh
# Determine likely exposure for Tenable plugin 95874 (PHP 5.6.x < 5.6.29).
# Usage: bash check_php_95874.sh /path/to/php
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

PHPBIN="${1:-php}"

if ! command -v "$PHPBIN" >/dev/null 2>&1; then
  echo "UNKNOWN: PHP binary not found: $PHPBIN"
  exit 2
fi

VER="$($PHPBIN -r 'echo PHP_VERSION;' 2>/dev/null || true)"
if [ -z "$VER" ]; then
  echo "UNKNOWN: Unable to read PHP version from $PHPBIN"
  exit 2
fi

MODS="$($PHPBIN -m 2>/dev/null || true)"
WDDX_STATE="not-loaded"
if printf '%s
' "$MODS" | grep -qi '^wddx$'; then
  WDDX_STATE="loaded"
fi

# Normalize version: handle values like 5.6.28-1ubuntu4.21 or 5.6.29
BASE_VER="$(printf '%s' "$VER" | sed -E 's/[^0-9.].*$//')"

version_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s
%s
' "$1" "$2" | sort -V | head -n1)" != "$2" ]
}

if printf '%s' "$BASE_VER" | grep -Eq '^5\.6\.[0-9]+$'; then
  if version_lt "$BASE_VER" "5.6.29"; then
    echo "VULNERABLE: PHP $VER detected (< 5.6.29); WDDX is $WDDX_STATE"
    exit 1
  else
    echo "PATCHED: PHP $VER is not in the affected upstream range; WDDX is $WDDX_STATE"
    exit 0
  fi
fi

# If it's not PHP 5.6.x, this specific Tenable plugin does not apply.
echo "PATCHED: PHP $VER is outside Tenable 95874's affected range (5.6.x < 5.6.29); WDDX is $WDDX_STATE"
exit 0

Sources

1. Tenable Nessus Plugin 95874
2. PHP 5 ChangeLog - Version 5.6.29
3. NVD - CVE-2016-9935
4. PHP Security Bug #73631
5. PHP Manual - WDDX
6. PHP Supported Versions
7. Debian DSA-3737-1
8. Ubuntu CVE-2016-9935