CVE-2007-1001
PHP 4.0.0-4.4.6 and 5.0.0-5.2.1 - Remote Code Execution via WBMP Image Integer Overflow
Title source: manualExploitation Summary
EIP tracks 1 public exploit for CVE-2007-1001. PoCs published by Ivan Fratric.
AI-analyzed exploit summary This exploit generates a malformed WBMP image file to trigger an integer overflow in PHP's GD extension, potentially leading to a denial of service or arbitrary code execution. The PoC writes a crafted header with an excessively large width value to provoke the vulnerability.
Description
Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Ivan Fratric · cdosphp
https://www.exploit-db.com/exploits/29823
This exploit generates a malformed WBMP image file to trigger an integer overflow in PHP's GD extension, potentially leading to a denial of service or arbitrary code execution. The PoC writes a crafted header with an excessively large width value to provoke the vulnerability.
Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target:
PHP 5.2.1 and prior versions
No auth needed
Prerequisites:
PHP with GD extension enabled
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (35)
Core 35
Core References
Release Notes x_refsource_confirm
http://us2.php.net/releases/4_4_7.php
Release Notes x_refsource_confirm
http://us2.php.net/releases/5_2_2.php
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2007/2732
Various Sources vendor-advisory
x_refsource_slackware
http://www.slackware.org/security/viewer.php?l=slackware-security&y=2007&m=slackware-security.470053
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/25056
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/25151
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/33453
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10179
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/466166/100/0/threaded
Mailing List vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200705-19.xml
Vendor Advisory vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-0162.html
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2007:090
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/464957/100/0/threaded
Various Sources x_refsource_misc
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?r1=1.2.4.1&r2=1.2.4.1.8.1
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/24909
Various Sources x_refsource_misc
http://ifsec.blogspot.com/2007/04/php-521-wbmp-file-handling-integer.html
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2007:087
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/24945
Issue Tracking x_refsource_confirm
https://issues.rpath.com/browse/RPL-1268
Vendor Advisory x_refsource_confirm
http://docs.info.apple.com/article.html?artnum=306172
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/24924
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/23357
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2007-0155.html
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2007/1269
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/24965
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/25159
Various Sources x_refsource_confirm
http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/wbmp.c?revision=1.2.4.1.8.1&view=markup
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2007:089
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/25445
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/24814
Vendor Advisory vendor-advisory
x_refsource_suse
http://www.novell.com/linux/security/advisories/2007_32_php.html
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2007:088
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/26235
Vendor Advisory vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-0153.html
Scores
EPSS
0.0832
EPSS Percentile
94.2%
Details
CWE
CWE-189
Status
published
Products (36)
php/php
4.0 (8 CPE variants)
php/php
4.0.0
php/php
4.0.1 (3 CPE variants)
php/php
4.0.2
php/php
4.0.3 (2 CPE variants)
php/php
4.0.4 (2 CPE variants)
php/php
4.0.5
php/php
4.0.6
php/php
4.0.7 (4 CPE variants)
php/php
4.1.0
... and 26 more
Published
Apr 06, 2007
Tracked Since
Feb 18, 2026