CVE-2007-1286

Exploitation Summary

EIP tracks 4 public exploits for CVE-2007-1286. PoCs published by Metasploit, Stefan Esser, sesser, including Metasploit module exploits/multi/php/php_unserialize_zval_cookie.

AI-analyzed exploit summary This Metasploit module exploits an integer overflow vulnerability in PHP 4's unserialize() function via a maliciously crafted cookie. It targets multiple web applications and uses brute-forcing to achieve remote code execution on Linux x86 systems.

Description

Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/16310

View Code ZIP pw:eip

This Metasploit module exploits an integer overflow vulnerability in PHP 4's unserialize() function via a maliciously crafted cookie. It targets multiple web applications and uses brute-forcing to achieve remote code execution on Linux x86 systems.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHP 4 (versions prior to 4.5.0)

No auth needed

Prerequisites: Fast network connection · Vulnerable PHP version · Target application using unserialize() on cookie data

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Stefan Esser · phpdoslinux

https://www.exploit-db.com/exploits/3396

View Code ZIP pw:eip

This exploit targets a reference counter overflow in PHP 4's unserialize() function, leading to arbitrary memory corruption. It constructs a malicious serialized string to trigger the vulnerability, causing a crash or potential code execution.

Classification

Working Poc 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: PHP 4

No auth needed

Prerequisites: PHP 4 installation · Ability to pass malicious serialized data to unserialize()

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by sesser · rubyremotephp

https://www.exploit-db.com/exploits/9939

View Code ZIP pw:eip

This Metasploit module exploits an integer overflow in PHP 4's unserialize() function via a maliciously crafted cookie. It targets multiple web applications and uses brute-forcing to achieve remote code execution on Linux x86 systems.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHP 4 (versions prior to 4.5.0)

No auth needed

Prerequisites: Network access to the target web server · PHP 4 < 4.5.0 with unserialize() support

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by hdm · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/php/php_unserialize_zval_cookie.rb

View Code ZIP pw:eip

This Metasploit module exploits an integer overflow vulnerability in PHP 4's unserialize() function via a maliciously crafted cookie. It targets multiple web applications and uses brute-forcing to achieve remote code execution on Linux x86 systems.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHP 4 (versions prior to 4.5.0)

No auth needed

Prerequisites: Vulnerable PHP 4 installation · Network access to the target web application

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (32)

Core 32

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/32796

Vendor Advisory vendor-advisory x_refsource_trustix

http://www.trustix.org/errata/2007/0009/

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2007/1991

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2007/dsa-1283

Vendor Advisory vendor-advisory x_refsource_hp

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01056506

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/24606

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2007-0154.html

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/466166/100/0/threaded

Third Party Advisory vendor-advisory x_refsource_gentoo

http://security.gentoo.org/glsa/glsa-200705-19.xml

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/24941

Vendor Advisory vendor-advisory x_refsource_hp

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01086137

Third Party Advisory vendor-advisory x_refsource_gentoo

http://security.gentoo.org/glsa/glsa-200703-21.xml

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/25062

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2007/2374

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/25423

Exploit, Patch, Vendor Advisory x_refsource_misc

http://www.php-security.org/MOPB/MOPB-04-2007.html

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/24419

Vendor Advisory vendor-advisory x_refsource_mandriva

http://www.mandriva.com/security/advisories?name=MDKSA-2007:087

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/24945

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2007/dsa-1282

Issue Tracking x_refsource_confirm

https://issues.rpath.com/browse/RPL-1268

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/24924

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2007-0155.html

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/24910

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/25850

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/25445

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2007-0163.html

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11575

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/22765

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/25025

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://www.osvdb.org/32771

Vendor Advisory vendor-advisory x_refsource_mandriva

http://www.mandriva.com/security/advisories?name=MDKSA-2007:088

PHP < 4.4.4 - Remote Code Execution via Long String to unserialize Function

Exploitation Summary

Description

Exploits (4)

References (32)

Scores

Details