Php Exploits
1,332 exploits tracked across all sources.
PHP 5.2.0-5.2.1 - Remote Code Execution via Session Identifier Double Free
Double free vulnerability in the session extension in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to execute arbitrary code via illegal characters in a session identifier, which is rejected by an internal session storage module, which calls the session identifier generator with an improper environment, leading to code execution when the generator is interrupted, as demonstrated by triggering a memory limit violation or certain PHP errors.
by Stefan Esser
PHP 5.2.0 - Buffer Underflow in PHP_FILTER_TRIM_DEFAULT Macro
Buffer underflow in the PHP_FILTER_TRIM_DEFAULT macro in the filtering extension (ext/filter) in PHP 5.2.0 allows context-dependent attackers to execute arbitrary code by calling filter_var with certain modes such as FILTER_VALIDATE_INT, which causes filter to write a null byte in whitespace that precedes the buffer.
by Stefan Esser
PHP 5.2.0 - Buffer Underflow via Header Function
Buffer underflow in the header function in PHP 5.2.0 allows context-dependent attackers to execute arbitrary code by passing an all-whitespace string to this function, which causes it to write '\0' characters in whitespace that precedes the string.
by Stefan Esser
NukeSentinel <2.5.06 - SQL Injection
nukesentinel.php in NukeSentinel 2.5.06 and earlier uses a permissive regular expression to validate an IP address, which allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, due to an incomplete patch for CVE-2007-1172.
by DarkFig
PHP <= 5.2.0 - Filter Bypass via FDF Formatted POST
The FDF support (ext/fdf) in PHP 5.2.0 and earlier does not implement the input filtering hooks for ext/filter, which allows remote attackers to bypass web site filters via an application/vnd.fdf formatted POST.
by Stefan Esser
PHP < 5.2.3 - Buffer Overflow in SNMP Extension via snmpget Function
Buffer overflow in the snmpget function in the snmp extension in PHP 5.2.3 and earlier, including PHP 4.4.6 and probably other PHP 4 versions, allows context-dependent attackers to execute arbitrary code via a long value in the third argument (object id).
by rgod
PHP - Information Disclosure via cpdf_open Function
The cpdf_open function in the ClibPDF (cpdf) extension in PHP 4.4.6 allows context-dependent attackers to obtain sensitive information (script source code) via a long string in the second argument.
by rgod
PHP 5.2.0-5.2.1 - Remote Code Execution via Long zip:// URL
Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP 1.8.3 and earlier, as bundled with PHP 5.2.0 and 5.2.1, allows remote attackers to execute arbitrary code via a long zip:// URL, as demonstrated by actively triggering URL access from a remote PHP interpreter via avatar upload or blog pingback.
by Stefan Esser
CVSS 9.8
PHP < 5.0.0 - Buffer Overflow in CrackLib crack_opendict Function
Buffer overflow in the crack extension (CrackLib), as bundled with PHP 4.4.6 and other versions before 5.0.0, might allow local users to gain privileges via a long argument to the crack_opendict function.
by rgod
PHP COM Extensions - Remote Code Execution via WScript.Shell COM Object
The PHP COM extensions for PHP on Windows systems allow context-dependent attackers to execute arbitrary code via a WScript.Shell COM object, as demonstrated by using the Run method of this object to execute cmd.exe, which bypasses PHP's safe mode.
by anonymous
PHP < 5.2.1 - Memory Read via substr_compare Length Argument
Integer overflow in the substr_compare function in PHP 5.2.1 and earlier allows context-dependent attackers to read sensitive memory via a large value in the length argument, a different vulnerability than CVE-2006-1991.
by Stefan Esser
PHP <4.4.5, <5.2.1 - Memory Corruption
The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x series, do not verify that their arguments correspond to a shmop resource, which allows context-dependent attackers to read and write arbitrary memory locations via arguments associated with an inappropriate resource, as demonstrated by a GD Image resource.
by Stefan Esser
PHP <4.4.5, <5.2.1 - Memory Corruption
The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x series, do not verify that their arguments correspond to a shmop resource, which allows context-dependent attackers to read and write arbitrary memory locations via arguments associated with an inappropriate resource, as demonstrated by a GD Image resource.
by Stefan Esser
PHP < 4.4.6 - Buffer Overflow via mssql_connect and mssql_pconnect Functions
Buffer overflow in PHP 4.4.6 and earlier, and unspecified PHP 5 versions, allows local and possibly remote attackers to execute arbitrary code via long server name arguments to the (1) mssql_connect and (2) mssql_pconnect functions.
by rgod
Rigter Portal System 6.2 - SQL Injection
SQL injection vulnerability in Rigter Portal System (RPS) 6.2, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the categoria parameter to the top-level URI (index.php), possibly related to ver_descarga.php.
by s0cratex
PHP <5.2.1 & <4.4.5 - Info Disclosure
The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.
by Stefan Esser
PHP <4.4.5, <5.2.1 - Info Disclosure
The php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read.
by Stefan Esser
PHP - Buffer Overflow in wddx_deserialize via Malformed STRING Element
The wddx_deserialize function in wddx.c 1.119.2.10.2.12 and 1.119.2.10.2.13 in PHP 5, as modified in CVS on 20070224 and fixed on 20070304, calls strlcpy where strlcat was intended and uses improper arguments, which allows context-dependent attackers to execute arbitrary code via a WDDX packet with a malformed overlap of a STRING element, which triggers a buffer overflow.
by Stefan Esser
PHP < 4.4.4 - Remote Code Execution via Long String to unserialize Function
Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.
by Stefan Esser
phpmyfaq < 1.6.7 - SQL Injection
SQL injection vulnerability in phpMyFAQ 1.6.7 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors, possibly the userfile or filename parameter.
by elgCrew
PHP 4 - Remote Code Execution via 16-bit Reference Counter Overflow
Integer overflow in the 16 bit variable reference counter in PHP 4 allows context-dependent attackers to execute arbitrary code by overflowing this counter, which causes the same variable to be destroyed twice, a related issue to CVE-2007-1286.
by Stefan Esser
CVSS 9.8
Jelsoft vBulletin <3.5.8-3.6.5 - SQL Injection
SQL injection vulnerability in inlinemod.php in Jelsoft vBulletin before 3.5.8, and before 3.6.5 in the 3.6.x series, might allow remote authenticated users to execute arbitrary SQL commands via the postids parameter. NOTE: the vendor states that the attack is feasible only in circumstances "almost impossible to achieve."
by rgod
stwc-counter < 3.4.0 - Remote Code Execution via stwc_counter_verzeichniss Parameter
PHP remote file inclusion vulnerability in downloadcounter.php in STWC-Counter 3.4.0.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the stwc_counter_verzeichniss parameter.
by burncycle
CS-Gallery < 2.0 - Remote File Inclusion via Album Parameter
PHP remote file inclusion vulnerability in index.php in Christian Schneider CS-Gallery 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the album parameter during a securealbum todo action.
by burncycle
By Source