CVE-2007-1700

PHP 4 <4.4.5, PHP 5 <5.2.1 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-1700. PoCs published by Stefan Esser.

AI-analyzed exploit summary This exploit targets a vulnerability in PHP's session handling (CVE-2007-1700) by manipulating the session variables to execute arbitrary shellcode. The PoC includes a protection line to prevent accidental execution and is designed for PHP versions 4 and 5.

Description

The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2.1, calculates the reference count for the session variables without considering the internal pointer from the session globals, which allows context-dependent attackers to execute arbitrary code via a crafted string in the session_register after unsetting HTTP_SESSION_VARS and _SESSION, which destroys the session data Hashtable.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Stefan Esser · phplocallinux

https://www.exploit-db.com/exploits/3571

View Code ZIP pw:eip

This exploit targets a vulnerability in PHP's session handling (CVE-2007-1700) by manipulating the session variables to execute arbitrary shellcode. The PoC includes a protection line to prevent accidental execution and is designed for PHP versions 4 and 5.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHP (versions 4 and 5)

No auth needed

Prerequisites: PHP session handling enabled · Ability to send crafted session data

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17

Core References

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2007/1991

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/25056

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2007/dsa-1283

Vendor Advisory vendor-advisory x_refsource_hp

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01056506

Third Party Advisory vendor-advisory x_refsource_gentoo

http://security.gentoo.org/glsa/glsa-200705-19.xml

Various Sources x_refsource_misc

http://www.php-security.org/MOPB/MOPB-30-2007.html

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/23119

Vendor Advisory vendor-advisory x_refsource_hp

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01086137

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/25062

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2007/2374

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/25423

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/usn-455-1

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/25850

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/25445

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/25057

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/33520

Vendor Advisory vendor-advisory x_refsource_suse

http://www.novell.com/linux/security/advisories/2007_32_php.html

Scores

EPSS 0.0902

EPSS Percentile 94.6%

Details

Status published

Products (35)

php/php 4.0 (8 CPE variants)

php/php 4.0.0

php/php 4.0.1 (3 CPE variants)

php/php 4.0.2

php/php 4.0.3 (2 CPE variants)

php/php 4.0.4 (2 CPE variants)

php/php 4.0.5

php/php 4.0.6

php/php 4.0.7 (4 CPE variants)

php/php 4.1.0

... and 25 more

Published Mar 27, 2007

Tracked Since Feb 18, 2026