CVE-2007-1581

PHP 5.0.0-5.2.13 and 5.3.0-5.3.2 - Remote Code Execution via Hash Update File Resource Manipulation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-1581. PoCs published by Stefan Esser.

AI-analyzed exploit summary This exploit leverages a use-after-free vulnerability in PHP's `hash_update_file()` function to execute arbitrary shellcode. It includes a memory leak technique via `substr_compare()` to determine the offset for reliable exploitation.

Description

The resource system in PHP 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting the hash_update_file function via a userspace (1) error or (2) stream handler, which can then be used to destroy and modify internal resources. NOTE: it was later reported that PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 are also affected.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Stefan Esser · phplocallinux

https://www.exploit-db.com/exploits/3529

View Code ZIP pw:eip

This exploit leverages a use-after-free vulnerability in PHP's `hash_update_file()` function to execute arbitrary shellcode. It includes a memory leak technique via `substr_compare()` to determine the offset for reliable exploitation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: PHP (versions affected by CVE-2007-1581)

No auth needed

Prerequisites: PHP with vulnerable `hash_update_file()` function · Ability to execute PHP code on the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/3529

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/24542

Exploit x_refsource_misc

http://php-security.org/2010/05/01/mops-2010-001-php-hash_update_file-already-freed-resource-access-vulnerability/index.html

Exploit, Vendor Advisory x_refsource_misc

http://www.php-security.org/MOPB/MOPB-28-2007.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/33248

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/23062

Scores

EPSS 0.0792

EPSS Percentile 94.0%

Details

CWE

CWE-94

Status published

Products (31)

php/php 5.0 rc1 (3 CPE variants)

php/php 5.0.0

php/php 5.0.1

php/php 5.0.2

php/php 5.0.3

php/php 5.0.4

php/php 5.0.5

php/php 5.1.0

php/php 5.1.1

php/php 5.1.2

... and 21 more

Published Mar 21, 2007

Tracked Since Feb 18, 2026