cbcvebase.
CVE-2012-0830
published 2012-02-06

CVE-2012-0830: The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number…

PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
30.14%
98.0th percentile
The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885.

Affected

2 ranges
VendorProductVersion rangeFixed in
drupaldrupal
phpphp

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://svn.php.net/viewvc?view=revision&revision=323007
urlhttp://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
  • Exploit sends a crafted multipart/form-data POST request with a large number of variables; the payload boundary is MD5-based and variable data begins with chr(16) followed by repeated bytes — monitor for abnormally large POST bodies with an excessive number of form-data fields targeting PHP 5.3.9.
  • The vulnerability is triggered via php_register_variable_ex in php_variables.c when processing a request containing a large number of variables — detect anomalous POST requests with variable counts exceeding normal thresholds (e.g., max_input_vars) directed at PHP 5.3.9 endpoints.
  • A remote attacker could send large number of crafted POST requests, which could crash php or execute arbitrary code with the permissions of the user running php — alert on repeated high-variable-count POST requests from a single source IP.
  • ·The vulnerability exists specifically in PHP 5.3.9 as a result of the incorrect fix for CVE-2011-4885; PHP 5.3.10 contains the corrected fix. Downgrading to a version prior to the CVE-2011-4885 patch also mitigates the issue.
  • ·The Suhosin extension's post.max_vars limit is bypassed when mbstring.encoding_translation is enabled (e.g., via .htaccess), causing only every other POST variable to be checked — remove the mbstring.encoding_translation directive from .htaccess to restore Suhosin's effectiveness.
  • ·The max_input_vars directive introduced in PHP 5.3.9 as a mitigation for CVE-2011-4885 was implemented incorrectly, creating this RCE flaw; the directive alone is not a safe mitigation on PHP 5.3.9.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.