CVE-2012-3450

PHP < 5.3.14 and 5.4.x < 5.4.4 - Denial of Service via PDO Prepared Statement Parsing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-3450. PoCs published by 0x721427D8.

AI-analyzed exploit summary This exploit demonstrates a denial-of-service vulnerability in PHP's PDO extension by triggering a segmentation fault during parameter parsing. The PoC uses malformed SQL queries with placeholders to crash the PHP worker process.

Description

pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during parsing of prepared statements, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted parameter value.

Exploits (1)

exploitdb WORKING POC VERIFIED

by 0x721427D8 · phpdosphp

https://www.exploit-db.com/exploits/37566

View Code ZIP pw:eip

This exploit demonstrates a denial-of-service vulnerability in PHP's PDO extension by triggering a segmentation fault during parameter parsing. The PoC uses malformed SQL queries with placeholders to crash the PHP worker process.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: PHP 5.4.3 (and potentially other versions)

No auth needed

Prerequisites: PHP with PDO extension enabled · MySQL database connectivity

MITRE ATT&CK