CVE-2007-1521

PHP <4.4.7, <5.2.2 - Use After Free

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-1521. PoCs published by Stefan Esser.

AI-analyzed exploit summary This exploit targets a double-free vulnerability in PHP 5's session_regenerate_id() function, leveraging heap manipulation to achieve remote code execution via shellcode injection. It includes a bindshell payload and uses the substr_compare() vulnerability to locate memory offsets dynamically.

Description

Double free vulnerability in PHP before 4.4.7, and 5.x before 5.2.2, allows context-dependent attackers to execute arbitrary code by interrupting the session_regenerate_id function, as demonstrated by calling a userspace error handler or triggering a memory limit violation.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Stefan Esser · phplocallinux
https://www.exploit-db.com/exploits/3479

This exploit targets a double-free vulnerability in PHP 5's session_regenerate_id() function, leveraging heap manipulation to achieve remote code execution via shellcode injection. It includes a bindshell payload and uses the substr_compare() vulnerability to locate memory offsets dynamically.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: PHP 5 (specific versions affected by CVE-2007-1521)
No auth needed
Prerequisites: PHP 5 with vulnerable session handling · Ability to trigger session_regenerate_id()
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (21)

Core 21
Core References
Release Notes x_refsource_confirm
http://us2.php.net/releases/5_2_2.php
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/0960
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/2732
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/25056
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2007/dsa-1283
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/24505
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200705-19.xml
Release Notes x_refsource_confirm
http://us2.php.net/releases/4_4_7.php
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/25062
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/usn-455-1
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2007/dsa-1282
Vendor Advisory x_refsource_confirm
http://docs.info.apple.com/article.html?artnum=306172
Exploit, Vendor Advisory x_refsource_misc
http://www.php-security.org/MOPB/MOPB-22-2007.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/25159
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/25445
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/25057
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2007_32_php.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/25025
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/22968
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26235

Scores

EPSS 0.0849
EPSS Percentile 94.3%

Details

Status published
Products (1)
php/php < 5.2.1
Published Mar 20, 2007
Tracked Since Feb 18, 2026