CVE-2009-2626

PHP < 5.2.10 - Memory Disclosure and Denial of Service via ini_set and ini_restore

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2009-2626. PoCs published by Maksymilian Arciemowicz.

AI-analyzed exploit summary The exploit demonstrates an information disclosure vulnerability in PHP 5.2.10 and 5.3 by manipulating `ini_set` and `ini_restore` to bypass intended restrictions, potentially leaking sensitive configuration details.

Description

The zend_restore_ini_entry_cb function in zend_ini.c in PHP 5.3.0, 5.2.10, and earlier versions allows context-specific attackers to obtain sensitive information (memory contents) and cause a PHP crash by using the ini_set function to declare a variable, then using the ini_restore function to restore the variable.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Maksymilian Arciemowicz · textlocalphp

https://www.exploit-db.com/exploits/10296

View Code ZIP pw:eip

The exploit demonstrates an information disclosure vulnerability in PHP 5.2.10 and 5.3 by manipulating `ini_set` and `ini_restore` to bypass intended restrictions, potentially leaking sensitive configuration details.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: PHP 5.2.10, PHP 5.3

No auth needed

Prerequisites: PHP environment with vulnerable version

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Maksymilian Arciemowicz · phpremotephp

https://www.exploit-db.com/exploits/33163

View Code ZIP pw:eip

This exploit demonstrates an information disclosure vulnerability in PHP (CVE-2009-2626) by manipulating the 'open_basedir' setting to bypass restrictions and include arbitrary files. The PoC shows how an attacker can reset the 'open_basedir' directive after setting it, potentially leading to unauthorized file access.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: PHP (versions affected by CVE-2009-2626)

No auth needed

Prerequisites: PHP installation vulnerable to CVE-2009-2626

MITRE ATT&CK

T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Maksymilian Arciemowicz · phpremotephp

https://www.exploit-db.com/exploits/33162

View Code ZIP pw:eip

This exploit leverages a PHP session path vulnerability (CVE-2009-2626) to disclose sensitive information by manipulating the session.save_path directive. The PoC demonstrates how an attacker can exploit this to gain unauthorized access to session data.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: PHP (versions prior to 5.2.11 and 5.3.0)

No auth needed

Prerequisites: PHP installation with vulnerable session handling

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Core References

Patch vendor-advisory x_refsource_debian

http://www.debian.org/security/2009/dsa-1940

Various Sources x_refsource_confirm

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/Zend/zend_ini.c?r1=272370&r2=284156

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/37482

Patch x_refsource_confirm

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540605

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/36009

Exploit third-party-advisory x_refsource_sreasonres

http://securityreason.com/achievement_securityalert/65

Scores

EPSS 0.0831

EPSS Percentile 94.2%

Details

Status published

Products (35)

php/php 1.0

php/php 2.0

php/php 2.0b10

php/php 3.0

php/php 3.0.1

php/php 3.0.2

php/php 3.0.3

php/php 3.0.4

php/php 3.0.5

php/php 3.0.6

... and 25 more

Published Dec 01, 2009

Tracked Since Feb 18, 2026