cbcvebase.
CVE-2007-1399
published 2007-03-10

CVE-2007-1399: Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP 1.8.3 and earlier, as bundled with PHP 5.2.0 and 5.2.1, allows remote attackers to execute…

PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.83%
97.1th percentile
Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP 1.8.3 and earlier, as bundled with PHP 5.2.0 and 5.2.1, allows remote attackers to execute arbitrary code via a long zip:// URL, as demonstrated by actively triggering URL access from a remote PHP interpreter via avatar upload or blog pingback.

Affected

3 ranges
VendorProductVersion rangeFixed in
phpphp
phpphp
pierrejoyephp_zip< 1.8.41.8.4

Detection & IOCsextracted from sources · hover to see the quote

urlzip://
  • Monitor for unusually long zip:// URL strings passed to PHP, which trigger the stack-based buffer overflow in the zip:// URL wrapper.
  • Inspect avatar upload and blog pingback functionality in PHP applications for attacker-supplied zip:// URLs, as these are the demonstrated attack vectors for triggering remote URL access.
  • ·Only PHP installations with the PECL ZIP extension (version 1.8.3 or earlier) are vulnerable; distributions that do not ship the zip extension are not affected.
  • ·Vulnerability is specifically bundled with PHP 5.2.0 and 5.2.1; confirm presence of PECL ZIP 1.8.3 or earlier before applying detections.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.