Stefan Esser

61 exploits Active since Dec 2002
CVE-2007-1521 EXPLOITDB php WORKING POC
PHP <4.4.7, <5.2.2 - Use After Free
Double free vulnerability in PHP before 4.4.7, and 5.x before 5.2.2, allows context-dependent attackers to execute arbitrary code by interrupting the session_regenerate_id function, as demonstrated by calling a userspace error handler or triggering a memory limit violation.
CVE-2007-1581 EXPLOITDB php WORKING POC
PHP 5.0.0-5.2.13 and 5.3.0-5.3.2 - Remote Code Execution via Hash Update File Resource Manipulation
The resource system in PHP 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting the hash_update_file function via a userspace (1) error or (2) stream handler, which can then be used to destroy and modify internal resources. NOTE: it was later reported that PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 are also affected.
CVE-2007-1522 EXPLOITDB php WORKING POC
PHP 5.2.0-5.2.1 - Remote Code Execution via Session Identifier Double Free
Double free vulnerability in the session extension in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to execute arbitrary code via illegal characters in a session identifier, which is rejected by an internal session storage module, which calls the session identifier generator with an improper environment, leading to code execution when the generator is interrupted, as demonstrated by triggering a memory limit violation or certain PHP errors.
CVE-2007-1399 EXPLOITDB CRITICAL php WORKING POC
PHP 5.2.0-5.2.1 - Remote Code Execution via Long zip:// URL
Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP 1.8.3 and earlier, as bundled with PHP 5.2.0 and 5.2.1, allows remote attackers to execute arbitrary code via a long zip:// URL, as demonstrated by actively triggering URL access from a remote PHP interpreter via avatar upload or blog pingback.
CVSS 9.8
CVE-2007-1582 EXPLOITDB php WORKING POC
PHP 4.0.0-4.4.6 and 5.0.0-5.2.1 - Remote Code Execution via Userspace Error Handler
The resource system in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting certain functions in the GD (ext/gd) extension and unspecified other extensions via a userspace error handler, which can be used to destroy and modify internal resources.
CVE-2007-1484 EXPLOITDB php WORKING POC
PHP <4.4.6 & <5.2.1 - Code Injection
The array_user_key_compare function in PHP 4.4.6 and earlier, and 5.x up to 5.2.1, makes erroneous calls to zval_dtor, which triggers memory corruption and allows local users to bypass safe_mode and execute arbitrary code via a certain unset operation after array_user_key_compare has been called.
CVE-2007-1701 EXPLOITDB php WORKING POC
PHP 4.0.0-4.4.4 - Remote Code Execution via Session Data Deserialization
PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".
CVE-2007-1376 EXPLOITDB php WORKING POC
PHP <4.4.5, <5.2.1 - Memory Corruption
The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x series, do not verify that their arguments correspond to a shmop resource, which allows context-dependent attackers to read and write arbitrary memory locations via arguments associated with an inappropriate resource, as demonstrated by a GD Image resource.
CVE-2007-1286 EXPLOITDB php WORKING POC
PHP < 4.4.4 - Remote Code Execution via Long String to unserialize Function
Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
CVE-2007-1711 EXPLOITDB php WORKING POC
PHP 4.4.5-4.4.6 - Use-After-Free in Unserializer
Double free vulnerability in the unserializer in PHP 4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary code by overwriting variables pointing to (1) the GLOBALS array or (2) the session data in _SESSION. NOTE: this issue was introduced when attempting to patch CVE-2007-1701 (MOPB-31-2007).
CVE-2004-2012 EXPLOITDB c WORKING POC
NetBSD/FreeBSD - Privilege Escalation
The systrace_exit function in the systrace utility for NetBSD-current and 2.0 before April 16, 2004, and certain FreeBSD ports, does not verify the owner of the /dec/systrace connection before setting euid to 0, which allows local users to gain root privileges.