CVE-2007-1001

PHP <5.2.1 - RCE

Title source: llm

Description

Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Ivan Fratric · cdosphp

https://www.exploit-db.com/exploits/29823

View Code ZIP pw:eip

References (35)

[Release Notes] http://us2.php.net/releases/4_4_7.php

[Release Notes] http://us2.php.net/releases/5_2_2.php

[Vendor Advisory] http://www.vupen.com/english/advisories/2007/2732

[Various Sources] http://www.slackware.org/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.470053

[Vendor Advisory] http://secunia.com/advisories/25056

[Vendor Advisory] http://secunia.com/advisories/25151

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/33453

[Third Party Advisory, VDB Entry] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10179

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/466166/100/0/threaded

[Mailing List] http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html

[Third Party Advisory] http://security.gentoo.org/glsa/glsa-200705-19.xml

[Vendor Advisory] http://www.redhat.com/support/errata/RHSA-2007-0162.html

[Vendor Advisory] http://www.mandriva.com/security/advisories?name=MDKSA-2007:090

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/464957/100/0/threaded

[Various Sources] http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.2.4.1&r2=1.2.4.1.8.1

[Vendor Advisory] http://secunia.com/advisories/24909

[Various Sources] http://ifsec.blogspot.com/2007/04/php-521-wbmp-file-handling-integer.html

[Vendor Advisory] http://www.mandriva.com/security/advisories?name=MDKSA-2007:087

[Vendor Advisory] http://secunia.com/advisories/24945

[Issue Tracking] https://issues.rpath.com/browse/RPL-1268

... and 15 more

Scores

EPSS 0.1159

EPSS Percentile 93.7%

Details

CWE

CWE-189

Status published

Products (36)

php/php 4.0 (8 CPE variants)

php/php 4.0.0

php/php 4.0.1 (3 CPE variants)

php/php 4.0.2

php/php 4.0.3 (2 CPE variants)

php/php 4.0.4 (2 CPE variants)

php/php 4.0.5

php/php 4.0.6

php/php 4.0.7 (4 CPE variants)

php/php 4.1.0

... and 26 more

Published Apr 06, 2007

Tracked Since Feb 18, 2026