CVE-2004-0594
published 2004-07-27CVE-2004-0594: The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote…
PriorityP347medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
54.86%
98.9th percentile
The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| avaya | converged_communications_server | — | — |
| debian | debian_linux | — | — |
| hp | hp-ux | — | — |
| hp | hp-ux | — | — |
| hp | hp-ux | — | — |
| hp | hp-ux | — | — |
| openpkg | openpkg | — | — |
| openpkg | openpkg | — | — |
| php | php | — | — |
| php | php | >= 4.0 < 4.3.7 | 4.3.7 |
| trustix | secure_linux | — | — |
| trustix | secure_linux | — | — |
| trustix | secure_linux | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherContent-Type: multipart/form-data; boundary=------------ BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB↗
bytes↗
\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66\x43\xcd\x80\x86\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh
- →Alert on inbound HTTP requests bearing the User-Agent string 'mlxdebug', which is hardcoded in the public exploit for CVE-2004-0594. ↗
- →Monitor for unexpected outbound or inbound TCP connections on port 36864, which is the bind-shell port opened by the exploit's shellcode upon successful exploitation. ↗
- →Detect multipart/form-data POST requests containing nested array form-field names (e.g., name="a[][]") sent in large quantities; the exploit uses repeated submissions of such requests to exhaust PHP memory and trigger the memory_limit abort. ↗
- →The exploit targets PHP installations where register_globals is enabled; audit PHP configurations for 'register_globals = On' as a high-risk indicator of exploitability. ↗
- ·The vulnerability is only exploitable when the PHP 'memory_limit' configuration setting is enabled AND 'register_globals' is also enabled. Disabling either setting mitigates the attack vector. ↗
- ·The exploit requires the attacker to force the PHP interpreter to allocate more memory than the memory_limit setting before script execution begins; the attack is conditional on the memory_limit being reachable via attacker-controlled input. ↗
CVSS provenance
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vendor_redhat5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jm2p-9h9p-vg22: The memory_limit functionality in PHP 4
ghsa_unreviewed·2022-04-29
CVE-2004-0594 [MEDIUM] CWE-367 GHSA-jm2p-9h9p-vg22: The memory_limit functionality in PHP 4
The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete.
Red Hat
security flaw
vendor_redhat·2004-07-13·CVSS 5.1
CVE-2004-0594 [MEDIUM] security flaw
security flaw
The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete.
No detection rules found.
Bugzilla
CVE-2004-0594 security flaw
bugzilla·2018-08-16·CVSS 5.1
CVE-2004-0594 [MEDIUM] CVE-2004-0594 security flaw
CVE-2004-0594 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete.
Bugzilla
CVE-2004-0595 PHP flaws (CVE-2004-0594 CVE-2004-1018 CVE-2004-1019)
bugzilla·2005-10-25·CVSS 5.1
CVE-2004-0595 [MEDIUM] CVE-2004-0595 PHP flaws (CVE-2004-0594 CVE-2004-1018 CVE-2004-1019)
CVE-2004-0595 PHP flaws (CVE-2004-0594 CVE-2004-1018 CVE-2004-1019)
Multiple flaws in Stronghold 4.0 PHP
A flaw in the strip_tags function in PHP, commonly used by PHP scripts to
prevent cross-site scripting attacks by removing HTML tags from
user-supplied form data. HTML tags can, in some cases, be passed intact
through the strip_tags function, which may allow a cross-site scripting
attack. (CVE-2004-0595)
A flaw if the memory_limit configuration setting is enabled in PHP. If a
remote attacker could force the PHP interpreter to allocate more memory
than the memory_limit setting before script execution begins, then the
attacker may be able to supply the contents of a PHP hash table remotely.
This hash table could then be used to execute arbitrary code in the context
of the server. (CVE-
arXiv
LLM-Assisted Proactive Threat Intelligence for Automated Reasoning
arxiv_fulltext·2025-04-01
LLM-Assisted Proactive Threat Intelligence for Automated Reasoning
LLM-Assisted Proactive Threat Intelligence for Automated Reasoning
Shuva Paul, Member, IEEE,
Farhad Alemi, Student Member, IEEE,
and Richard Macwan, Member, IEEE
Farhad Alemi is a graduate researcher at Arizona State University.
Shuva Paul and Richard Macwan are researchers at the National Renewable Energy Laboratory, Golden, CO
Journal of \ Class Files, Vol. 14, No. 8, August 2015
Shell et al.: Bare Demo of IEEEtran.cls for IEEE Journals
## Abstract
Successful defense against dynamically evolving cyber threats requires advanced and sophisticated techniques. This research presents a novel approach to enhance real-time cybersecurity threat detection and response by integrating large language models (LLMs) and Retrieval-Augmented Generation (RAG) systems with continuous threat intelligen
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000847http://lists.grok.org.uk/pipermail/full-disclosure/2004-July/023908.htmlhttp://marc.info/?l=bugtraq&m=108981780109154&w=2http://marc.info/?l=bugtraq&m=108982983426031&w=2http://marc.info/?l=bugtraq&m=109051444105182&w=2http://marc.info/?l=bugtraq&m=109181600614477&w=2http://www.debian.org/security/2004/dsa-531http://www.debian.org/security/2005/dsa-669http://www.gentoo.org/security/en/glsa/glsa-200407-13.xmlhttp://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:068http://www.novell.com/linux/security/advisories/2004_21_php4.htmlhttp://www.redhat.com/support/errata/RHSA-2004-392.htmlhttp://www.redhat.com/support/errata/RHSA-2004-395.htmlhttp://www.redhat.com/support/errata/RHSA-2004-405.htmlhttp://www.redhat.com/support/errata/RHSA-2005-816.htmlhttp://www.securityfocus.com/bid/10725http://www.trustix.org/errata/2004/0039/https://exchange.xforce.ibmcloud.com/vulnerabilities/16693https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10896http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000847http://lists.grok.org.uk/pipermail/full-disclosure/2004-July/023908.htmlhttp://marc.info/?l=bugtraq&m=108981780109154&w=2http://marc.info/?l=bugtraq&m=108982983426031&w=2http://marc.info/?l=bugtraq&m=109051444105182&w=2http://marc.info/?l=bugtraq&m=109181600614477&w=2http://www.debian.org/security/2004/dsa-531http://www.debian.org/security/2005/dsa-669http://www.gentoo.org/security/en/glsa/glsa-200407-13.xmlhttp://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:068http://www.novell.com/linux/security/advisories/2004_21_php4.htmlhttp://www.redhat.com/support/errata/RHSA-2004-392.htmlhttp://www.redhat.com/support/errata/RHSA-2004-395.htmlhttp://www.redhat.com/support/errata/RHSA-2004-405.htmlhttp://www.redhat.com/support/errata/RHSA-2005-816.htmlhttp://www.securityfocus.com/bid/10725http://www.trustix.org/errata/2004/0039/https://exchange.xforce.ibmcloud.com/vulnerabilities/16693https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10896
2004-07-27
Published