CVE-2014-3622: 
PHP vulnerability analysis and mitigation

Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value. The vulnerability was assigned CVE-2014-3622 and was discovered in September 2014 (PHP Bug Report).

The vulnerability exists in the add_post_var() function where input filters are allowed to change values passed as char** parameters. The code gives &ksep to the input filter without performing estrndup() before calling the input filter, which is potentially unsafe. If a third-party filter extension modifies or frees the value supplied, it could result in an illegal efree() that could be exploitable for remote code execution. The issue was introduced when the estrndup() call was removed and was later fixed by re-introducing estrndup() before passing values to input filters (PHP Bug Report, RedHat Bug).

While the vulnerability could potentially lead to remote code execution, the actual impact was considered low because exploitation required a third-party filter extension that modifies values in a specific way. At the time of discovery, only ext/filter and suhosin were known to use input filters, and neither modified values in a way that would trigger the vulnerability (PHP Bug Report, RedHat Bug).

The vulnerability was fixed in PHP version 5.6.1 by re-introducing the estrndup() call before passing values to input filters. Users were advised to upgrade to PHP 5.6.1 or later versions. Only PHP 5.6.0 was affected; earlier versions were not vulnerable to this issue (RedHat Bug).