CVE-2004-0594

PHP 4.x-5.0.0RC3 - Remote Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2004-0594. PoCs published by Gyan Chawdhary.

AI-analyzed exploit summary This exploit targets a memory corruption vulnerability in PHP (CVE-2004-0594) by manipulating the `memory_limit` setting to trigger a heap overflow, allowing arbitrary code execution via shellcode. It uses crafted HTTP requests to corrupt memory structures and execute a reverse shell on port 36864.

Description

The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Gyan Chawdhary · cremotelinux
https://www.exploit-db.com/exploits/660

This exploit targets a memory corruption vulnerability in PHP (CVE-2004-0594) by manipulating the `memory_limit` setting to trigger a heap overflow, allowing arbitrary code execution via shellcode. It uses crafted HTTP requests to corrupt memory structures and execute a reverse shell on port 36864.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: PHP 4 (<= 4.3.7) and PHP 5 (<= 5.0.0RC3)
No auth needed
Prerequisites: PHP with `register_globals` enabled · Apache or similar web server · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (19)

Core 19
Core References
Broken Link vendor-advisory x_refsource_trustix
http://www.trustix.org/errata/2004/0039/
Broken Link vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2004-395.html
Broken Link vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2004-405.html
Broken Link vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2004-392.html
Broken Link vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2004_21_php4.html
Broken Link, URL Repurposed mailing-list x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2004-July/023908.html
Broken Link vendor-advisory x_refsource_conectiva
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000847
Third Party Advisory mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=108982983426031&w=2
Mailing List vendor-advisory x_refsource_debian
http://www.debian.org/security/2005/dsa-669
Broken Link vendor-advisory x_refsource_debian
http://www.debian.org/security/2004/dsa-531
Broken Link vendor-advisory x_refsource_mandrake
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:068
Broken Link vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2005-816.html
Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=109181600614477&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16693
Third Party Advisory mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=109051444105182&w=2
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/10725
Third Party Advisory mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=108981780109154&w=2
Third Party Advisory vendor-advisory x_refsource_gentoo
http://www.gentoo.org/security/en/glsa/glsa-200407-13.xml

Scores

EPSS 0.5486
EPSS Percentile 98.9%

Details

CWE
CWE-367
Status published
Products (13)
avaya/converged_communications_server 2.0
debian/debian_linux 3.0
hp/hp-ux b.11.00
hp/hp-ux b.11.11
hp/hp-ux b.11.22
hp/hp-ux b.11.23
openpkg/openpkg 2.0
openpkg/openpkg 2.1
php/php 5.0.0 beta1 (6 CPE variants)
php/php 4.0 - 4.3.7
... and 3 more
Published Jul 27, 2004
Tracked Since Feb 18, 2026