cbcvebase.
CVE-2007-1286
published 2007-03-06

CVE-2007-1286: Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function…

PriorityP350medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
40.44%
98.5th percentile
Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter.

Affected

2 ranges
VendorProductVersion rangeFixed in
phpphp<= 4.4.4
phpphp

Detection & IOCsextracted from sources · hover to see the quote

path/phpBB2/faq.php
path/dmr/dmr.php
path/phpwebgallery/index.php
path/ariadne/loader.php/
path/proma/index.php
path/egroupware/login.php
  • Detect exploit attempts by monitoring for oversized Cookie headers (~900KB+) sent to PHP applications, particularly where the cookie value is passed to unserialize(). The exploit requires approximately 900k of data delivered via multiple Cookie headers.
  • Inspect HTTP responses for PHP version headers (X-Powered-By or Server) advertising PHP/4.x (specifically 4.4.4 and earlier) as these are the vulnerable versions targeted by this exploit.
  • Monitor for POST requests carrying large payloads (~2MB) combined with multiple Cookie headers targeting known application paths such as /phpBB2/faq.php, /index.php, /dmr/dmr.php, /phpwebgallery/index.php, /ariadne/loader.php/, /proma/index.php, /egroupware/login.php — indicative of the brute-force shellcode delivery method.
  • On x86 Linux systems, look for exploitation artifacts where the EDI register points into a hashtable string; this is a characteristic memory layout indicator of this specific vulnerability being triggered.
  • ·The exploit targets PHP 4.4.4 and all earlier versions supporting unserialize(); PHP 4.5.0 (patched by Stefan Esser) is not vulnerable. Detections based on PHP version headers should only flag PHP/4.x versions below 4.5.0.
  • ·The Metasploit module brute-forces return addresses in the range 0xb6000400–0xbfff0000 (step 1MB) for Linux x86 Generic targets; specific distributions (SuSE 64-bit: 0x005c0000, Backtrack 2.0: 0xb797a000, Gentoo: 0xb6900000) may require adjusted ranges.
  • ·The cookie name passed to unserialize() is application-specific and configurable via the COOKIENAME option; defenders should enumerate all cookies their PHP 4 applications pass to unserialize() and monitor those specifically.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.