Stefan Esser

61 exploits Active since Dec 2002
CVE-2004-0595 EXPLOITDB text WRITEUP
PHP 4.x-5.0.0RC3 - XSS
The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities.
CVE-2007-1825 EXPLOITDB php WORKING POC
PHP 4 < 4.4.5 and 5 < 5.2.1 - Buffer Overflow in imap_mail_compose
Buffer overflow in the imap_mail_compose function in PHP 5 before 5.2.1, and PHP 4 before 4.4.5, allows remote attackers to execute arbitrary code via a long boundary string in a type.parameters field. NOTE: as of 20070411, it appears that this issue might be subsumed by CVE-2007-0906.3.
CVE-2007-1583 EXPLOITDB php WORKING POC
PHP 4.0.0-4.4.6 & 5.0.0-5.2.1 - Code Injection
The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 sets the internal register_globals flag and does not disable it in certain cases when a script terminates, which allows remote attackers to invoke available PHP scripts with register_globals functionality that is not detectable by these scripts, as demonstrated by forcing a memory_limit violation.
CVE-2007-1453 EXPLOITDB php WORKING POC
PHP 5.2.0 - Buffer Underflow in PHP_FILTER_TRIM_DEFAULT Macro
Buffer underflow in the PHP_FILTER_TRIM_DEFAULT macro in the filtering extension (ext/filter) in PHP 5.2.0 allows context-dependent attackers to execute arbitrary code by calling filter_var with certain modes such as FILTER_VALIDATE_INT, which causes filter to write a null byte in whitespace that precedes the buffer.
CVE-2007-1718 EXPLOITDB php WORKING POC
PHP 4.0.0-4.4.6 and 5.0.0-5.2.1 - CRLF Injection via Mail Function Header Parameters
CRLF injection vulnerability in the mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows remote attackers to inject arbitrary e-mail headers and possibly conduct spam attacks via a control character immediately following folding of the (1) Subject or (2) To parameter, as demonstrated by a parameter containing a "\r\n\t\n" sequence, related to an increment bug in the SKIP_LONG_HEADER_SEP macro.
CVE-2007-3799 EXPLOITDB text WRITEUP
PHP 4.x-4.4.7 and 5.x-5.2.3 - Session Cookie Attribute Injection via Special Characters
The session_start function in ext/session in PHP 4.x up to 4.4.7 and 5.x up to 5.2.3 allows remote attackers to insert arbitrary attributes into the session cookie via special characters in a cookie that is obtained from (1) PATH_INFO, (2) the session_id function, and (3) the session_start function, which are not encoded or filtered when the new session cookie is generated, a related issue to CVE-2006-0207.
CVE-2010-1866 EXPLOITDB CRITICAL php WORKING POC
PHP 5.3.0-5.3.2 - Denial of Service via Negative Chunk Size in HTTP Chunked Encoding Decoder
The dechunk filter in PHP 5.3 through 5.3.2, when decoding an HTTP chunked encoding stream, allows context-dependent attackers to cause a denial of service (crash) and possibly trigger memory corruption via a negative chunk size, which bypasses a signed comparison, related to an integer overflow in the chunk size decoder.
CVSS 9.8
CVE-2010-2094 EXPLOITDB text WORKING POC
PHP 5.3 - Format String Vulnerability in phar Extension
Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the (1) phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5) phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers errors in the php_stream_wrapper_log_error function.
CVE-2007-1286 EXPLOITDB ruby WORKING POC
PHP < 4.4.4 - Remote Code Execution via Long String to unserialize Function
Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
EIP-2026-104579 EXPLOITDB bash WORKING POC
Apple Mac OSX 10.10 - 'DYLD_PRINT_TO_FILE' Local Privilege Escalation
CVE-2007-1584 EXPLOITDB php WORKING POC
PHP 5.2.0 - Buffer Underflow via Header Function
Buffer underflow in the header function in PHP 5.2.0 allows context-dependent attackers to execute arbitrary code by passing an all-whitespace string to this function, which causes it to write '\0' characters in whitespace that precedes the string.
CVE-2007-1584 EXPLOITDB php WORKING POC
PHP 5.2.0 - Buffer Underflow via Header Function
Buffer underflow in the header function in PHP 5.2.0 allows context-dependent attackers to execute arbitrary code by passing an all-whitespace string to this function, which causes it to write '\0' characters in whitespace that precedes the string.
CVE-2007-1286 EXPLOITDB ruby WORKING POC
PHP < 4.4.4 - Remote Code Execution via Long String to unserialize Function
Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
CVE-2007-1287 EXPLOITDB text WORKING POC
PHP 4.4.3-4.4.6 - Cross-Site Scripting via phpinfo GET POST or COOKIE Array Values
A regression error in the phpinfo function in PHP 4.4.3 to 4.4.6, and PHP 6.0 in CVS, allows remote attackers to conduct cross-site scripting (XSS) attacks via GET, POST, or COOKIE array values, which are not escaped in the phpinfo output, as originally fixed for CVE-2005-3388.
CVE-2007-1452 EXPLOITDB php WORKING POC
PHP <= 5.2.0 - Filter Bypass via FDF Formatted POST
The FDF support (ext/fdf) in PHP 5.2.0 and earlier does not implement the input filtering hooks for ext/filter, which allows remote attackers to bypass web site filters via an application/vnd.fdf formatted POST.
CVE-2007-1359 EXPLOITDB text WRITEUP
ModSecurity <= 2.1.0 - Request Rule Bypass via ASCIIZ Byte in POST Data
Interpretation conflict in ModSecurity (mod_security) 2.1.0 and earlier allows remote attackers to bypass request rules via application/x-www-form-urlencoded POST data that contains an ASCIIZ (0x00) byte, which mod_security treats as a terminator even though it is still processed as normal data by some HTTP parsers including PHP 5.2.0, and possibly parsers in Perl, and Python.
CVE-2007-1649 EXPLOITDB php WORKING POC
PHP 5.2.1 - Heap Memory Disclosure via Serialized Data Input
PHP 5.2.1 allows context-dependent attackers to read portions of heap memory by executing certain scripts with a serialized data input string beginning with S:, which does not properly track the number of input bytes being processed.
CVE-2007-1381 EXPLOITDB php WORKING POC
PHP - Buffer Overflow in wddx_deserialize via Malformed STRING Element
The wddx_deserialize function in wddx.c 1.119.2.10.2.12 and 1.119.2.10.2.13 in PHP 5, as modified in CVS on 20070224 and fixed on 20070304, calls strlcpy where strlcat was intended and uses improper arguments, which allows context-dependent attackers to execute arbitrary code via a WDDX packet with a malformed overlap of a STRING element, which triggers a buffer overflow.
CVE-2007-1383 EXPLOITDB CRITICAL php WORKING POC
PHP 4 - Remote Code Execution via 16-bit Reference Counter Overflow
Integer overflow in the 16 bit variable reference counter in PHP 4 allows context-dependent attackers to execute arbitrary code by overflowing this counter, which causes the same variable to be destroyed twice, a related issue to CVE-2007-1286.
CVSS 9.8
CVE-2007-1375 EXPLOITDB php WORKING POC
PHP < 5.2.1 - Memory Read via substr_compare Length Argument
Integer overflow in the substr_compare function in PHP 5.2.1 and earlier allows context-dependent attackers to read sensitive memory via a large value in the length argument, a different vulnerability than CVE-2006-1991.
CVE-2007-1380 EXPLOITDB php WORKING POC
PHP <4.4.5, <5.2.1 - Info Disclosure
The php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read.
CVE-2007-0908 EXPLOITDB php WORKING POC
PHP <5.2.1 & <4.4.5 - Info Disclosure
The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.
CVE-2003-0015 EXPLOITDB text WRITEUP
CVS <= 1.11.4 - Double Free via Malformed Directory Request
Double-free vulnerability in CVS 1.11.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed Directory request, as demonstrated by bypassing write checks to execute Update-prog and Checkin-prog commands.
CVE-2007-1700 EXPLOITDB php WORKING POC
PHP 4 <4.4.5, PHP 5 <5.2.1 - Code Injection
The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2.1, calculates the reference count for the session variables without considering the internal pointer from the session globals, which allows context-dependent attackers to execute arbitrary code via a crafted string in the session_register after unsetting HTTP_SESSION_VARS and _SESSION, which destroys the session data Hashtable.
CVE-2007-1376 EXPLOITDB php WORKING POC
PHP <4.4.5, <5.2.1 - Memory Corruption
The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x series, do not verify that their arguments correspond to a shmop resource, which allows context-dependent attackers to read and write arbitrary memory locations via arguments associated with an inappropriate resource, as demonstrated by a GD Image resource.