Stefan Esser

61 exploits Active since Dec 2002
CVE-2015-0231 WRITEUP WRITEUP
PHP < 5.4.37 - Use-After-Free via Unserialize Duplicate Numerical Keys
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.
CVE-2007-1286 METASPLOIT ruby WORKING POC
PHP < 4.4.4 - Remote Code Execution via Long String to unserialize Function
Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
CVE-2015-3760 METASPLOIT ruby WORKING POC
Apple OS X <10.10.5 - Privilege Escalation
dyld in Apple OS X before 10.10.5 does not properly validate pathnames in the environment, which allows local users to gain privileges via unspecified vectors.
EIP-2026-118516 EXPLOITDB c WORKING POC
eMule 0.2x Client - OP_SERVERIDENT Heap Overflow
EIP-2026-118515 EXPLOITDB c WORKING POC
eMule 0.2x - AttachToAlreadyKnown Double-Free
CVE-2002-1375 EXPLOITDB text WRITEUP
MySQL 3.x < 3.23.54 and 4.x <= 4.0.6 - Remote Code Execution via COM_CHANGE_USER Command
The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x to 4.0.6, allows remote attackers to execute arbitrary code via a long response.
CVE-2007-0107 EXPLOITDB python WORKING POC
WordPress < 2.0.6 - SQL Injection via Multibyte Charset Bypass
WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7.
CVE-2007-3636 EXPLOITDB text WORKING POC
Squirrelmail G/PGP Plugin 2.1 - RCE
Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin 2.1 for Squirrelmail allow remote attackers to execute arbitrary commands via unspecified vectors. NOTE: this information is based upon a vague pre-advisory from a reliable researcher.
EIP-2026-111585 EXPLOITDB text WRITEUP
PunBB 1.x - 'profile.php' User Profile Edit Module SQL Injection
CVE-2005-1051 EXPLOITDB python WORKING POC
PunBB 1.2.4 - Authenticated SQL Injection via Profile ID Parameter
SQL injection vulnerability in profile.php in PunBB 1.2.4 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a change_email action.
CVE-2005-3388 EXPLOITDB text WORKING POC
PHP 4.4.0 and 5.0.5 phpinfo - Cross-Site Scripting
Cross-site scripting (XSS) vulnerability in the phpinfo function in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a "stacked array assignment."
EIP-2026-108050 EXPLOITDB text WRITEUP
Jaws 0.x - Remote File Inclusion
CVE-2010-1918 EXPLOITDB text WORKING POC
efront < 3.6.2 - SQL Injection via chatrooms_ID Parameter
SQL injection vulnerability in ask_chat.php in eFront 3.6.2 and earlier allows remote attackers to execute arbitrary SQL commands via the chatrooms_ID parameter.
CVE-2014-3704 EXPLOITDB php WORKING POC
Drupal 7.0-7.31 - SQL Injection via Array Key in Database API
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
CVE-2010-1859 EXPLOITDB text WORKING POC
DeluxeBB < 1.3 - SQL Injection via membercookie Cookie
SQL injection vulnerability in newpost.php in DeluxeBB 1.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the membercookie cookie when adding a new thread.
EIP-2026-105701 EXPLOITDB text WORKING POC
Campsite 3.x - 'article_id' SQL Injection
CVE-2007-1825 EXPLOITDB php WORKING POC
PHP 4 < 4.4.5 and 5 < 5.2.1 - Buffer Overflow in imap_mail_compose
Buffer overflow in the imap_mail_compose function in PHP 5 before 5.2.1, and PHP 4 before 4.4.5, allows remote attackers to execute arbitrary code via a long boundary string in a type.parameters field. NOTE: as of 20070411, it appears that this issue might be subsumed by CVE-2007-0906.3.
CVE-2004-0595 EXPLOITDB text WRITEUP
PHP 4.x-5.0.0RC3 - XSS
The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities.
CVE-2007-1890 EXPLOITDB php WORKING POC
PHP 4 < 4.4.5 and PHP 5 < 5.2.1 - Integer Overflow in msg_receive Function
Integer overflow in the msg_receive function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1, on FreeBSD and possibly other platforms, allows context-dependent attackers to execute arbitrary code via certain maxsize values, as demonstrated by 0xffffffff.
CVE-2007-1369 EXPLOITDB text WORKING POC
Zend Platform <2.2.3 - Local Privilege Escalation
ini_modifier (sgid-zendtech) in Zend Platform 2.2.3 and earlier allows local users to modify the system php.ini file by editing a copy of php.ini file using the -f parameter, and then performing a symlink attack using the directory that contains the attacker-controlled php.ini file, and linking this directory to /usr/local/Zend/etc.
CVE-2010-2094 EXPLOITDB text WORKING POC
PHP 5.3 - Format String Vulnerability in phar Extension
Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the (1) phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5) phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers errors in the php_stream_wrapper_log_error function.
CVE-2007-1777 EXPLOITDB php WORKING POC
PHP 4 - Remote Code Execution via ZIP Archive Entry Length Overflow
Integer overflow in the zip_read_entry function in PHP 4 before 4.4.5 allows remote attackers to execute arbitrary code via a ZIP archive that contains an entry with a length value of 0xffffffff, which is incremented before use in an emalloc call, triggering a heap overflow.
CVE-2010-1866 EXPLOITDB CRITICAL php WORKING POC
PHP 5.3.0-5.3.2 - Denial of Service via Negative Chunk Size in HTTP Chunked Encoding Decoder
The dechunk filter in PHP 5.3 through 5.3.2, when decoding an HTTP chunked encoding stream, allows context-dependent attackers to cause a denial of service (crash) and possibly trigger memory corruption via a negative chunk size, which bypasses a signed comparison, related to an integer overflow in the chunk size decoder.
CVSS 9.8
CVE-2012-0830 EXPLOITDB php WORKING POC
PHP 5.3.9 - Remote Code Execution via Large Number of Variables
The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885.
CVE-2007-1286 EXPLOITDB ruby WORKING POC
PHP < 4.4.4 - Remote Code Execution via Long String to unserialize Function
Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.