diff --git a/modules/exploits/multi/http/joomla_http_header_rce.rb b/modules/exploits/multi/http/joomla_http_header_rce.rb
index 52ea087395..489632f815 100644
--- a/modules/exploits/multi/http/joomla_http_header_rce.rb
+++ b/modules/exploits/multi/http/joomla_http_header_rce.rb
@@ -17,7 +17,9 @@ class Metasploit3 < Msf::Exploit::Remote
           Joomla suffers from an unauthenticated remote code execution that affects all versions from 1.5 to 3.4.
           By storing user supplied headers in the databases session table it's possible to truncate the input
           by sending an UTF-8 character. The custom created payload is then executed once the session is read
-          from the databse
+          from the databse. You also need to have a PHP version before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13.
+          In later versions the deserialisation of invalid session data stops on the first error and the
+          exploit will not work.
       },
       'Author'	=>
         [
@@ -32,7 +34,8 @@ class Metasploit3 < Msf::Exploit::Remote
           ['URL', 'https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html'],
           ['URL', 'https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html'],
           ['URL', 'https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fdrops.wooyun.org%2Fpapers%2F11330'],
-          ['URL', 'https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fwww.freebuf.com%2Fvuls%2F89754.html']
+          ['URL', 'https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fwww.freebuf.com%2Fvuls%2F89754.html'],
+          ['URL', 'https://bugs.php.net/bug.php?id=70219']
         ],
       'Privileged'     => false,
       'Platform'       => 'php',