CVE-2007-3294

PHP Tidy Extension - Buffer Overflow via tidy_parse_string or tidy_repair_string

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-3294. PoCs published by rgod.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in PHP 5.2.3's tidy_parse_string() and tidy_repair_string() functions on Windows. It uses a crafted buffer to overwrite the EIP and execute shellcode that adds a user to the system.

Description

Multiple buffer overflows in libtidy, as used in the Tidy extension for PHP 5.2.3 and possibly other products, allow context-dependent attackers to execute arbitrary code via (1) a long second argument to the tidy_parse_string function or (2) an unspecified vector to the tidy_repair_string function. NOTE: this might only be an issue in environments where vsnprintf is implemented as a wrapper for vsprintf.

Exploits (1)

exploitdb WORKING POC VERIFIED

by rgod · phplocalwindows

https://www.exploit-db.com/exploits/4080

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in PHP 5.2.3's tidy_parse_string() and tidy_repair_string() functions on Windows. It uses a crafted buffer to overwrite the EIP and execute shellcode that adds a user to the system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: PHP 5.2.3 with Tidy extension

No auth needed

Prerequisites: Tidy extension loaded in PHP · Windows XP SP2 or similar vulnerable environment

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/25735

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/36853

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/34931

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/4080

Scores

EPSS 0.0939

EPSS Percentile 94.8%

Details

CWE

CWE-119

Status published

Products (1)

php/php 5.2.3

Published Jun 20, 2007

Tracked Since Feb 18, 2026