CVE-2007-1285

PHP 3/4/5 - ZendEngine Variable Destruction Remote Denial of Service

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows remote attackers to cause a denial of service (stack exhaustion and PHP crash) via deeply nested arrays, which trigger deep recursion in the variable destruction routines.

El motor Zend en PHP versión 4.x anterior a 4.4.7, y versión 5.x anterior a 5.2.2, permite que los atacantes remotos causen una denegación de servicio (agotamiento de pila y bloqueo de PHP) por medio de matrices profundamente anidadas, que desencadenan una profunda recursión en la variable de rutinas de destrucción.

Several vulnerabilities were found in PHP, most of them during the Month Of PHP Bugs (MOPB) by Stefan Esser. The most severe of these vulnerabilities are integer overflows in wbmp.c from the GD library and in the substr_compare() PHP 5 function. Ilia Alshanetsky also reported a buffer overflow in the make_http_soap_request() and in the user_filter_factory_create() functions, and Stanislav Malyshev discovered another buffer overflow in the bundled XMLRPC library. Additionally, the session_regenerate_id() and the array_user_key_compare() functions contain a double-free vulnerability. Finally, there exist implementation errors in the Zend engine, in the mb_parse_str(), the unserialize() and the mail() functions and other elements. Versions less than 5.2.2 are affected.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2007-03-01 First Exploit
2007-03-06 CVE Reserved
2007-03-06 CVE Published
2024-08-07 CVE Updated
2025-05-21 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-674: Uncontrolled Recursion

CAPEC

References (41)

URL	Tag	Source
http://us2.php.net/releases/4_4_7.php	Release Notes
http://us2.php.net/releases/5_2_2.php	Release Notes
http://www.osvdb.org/32769	Broken Link
http://www.php.net/ChangeLog-4.php	Release Notes
http://www.php.net/ChangeLog-5.php#5.2.4	Release Notes
http://www.php.net/releases/4_4_8.php	Release Notes
http://www.php.net/releases/5_2_4.php	Release Notes
http://www.securityfocus.com/archive/1/466166/100/0/threaded	Broken Link
http://www.securityfocus.com/bid/22764	Broken Link
http://www.securitytracker.com/id?1017771	Broken Link
https://issues.rpath.com/browse/RPL-1268	Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11017	Broken Link

URL	Date	SRC
https://www.exploit-db.com/exploits/29692	2007-03-01
http://www.php-security.org/MOPB/MOPB-03-2007.html	2024-08-07
https://launchpad.net/bugs/173043	2024-08-07

URL	Date	SRC

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2007-07/msg00006.html	2024-02-02
http://rhn.redhat.com/errata/RHSA-2007-0154.html	2024-02-02
http://rhn.redhat.com/errata/RHSA-2007-0155.html	2024-02-02
http://rhn.redhat.com/errata/RHSA-2007-0163.html	2024-02-02
http://secunia.com/advisories/24909	2024-02-02
http://secunia.com/advisories/24910	2024-02-02
http://secunia.com/advisories/24924	2024-02-02
http://secunia.com/advisories/24941	2024-02-02
http://secunia.com/advisories/24945	2024-02-02
http://secunia.com/advisories/25445	2024-02-02
http://secunia.com/advisories/26048	2024-02-02
http://secunia.com/advisories/26642	2024-02-02
http://secunia.com/advisories/27864	2024-02-02
http://secunia.com/advisories/28936	2024-02-02
http://security.gentoo.org/glsa/glsa-200705-19.xml	2024-02-02
http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.335136	2024-02-02
http://www.mandriva.com/security/advisories?name=MDKSA-2007:087	2024-02-02
http://www.mandriva.com/security/advisories?name=MDKSA-2007:088	2024-02-02
http://www.mandriva.com/security/advisories?name=MDKSA-2007:089	2024-02-02
http://www.mandriva.com/security/advisories?name=MDKSA-2007:090	2024-02-02
http://www.redhat.com/support/errata/RHSA-2007-0082.html	2024-02-02
http://www.redhat.com/support/errata/RHSA-2007-0162.html	2024-02-02
http://www.ubuntu.com/usn/usn-549-2	2024-02-02
https://usn.ubuntu.com/549-1	2024-02-02
https://access.redhat.com/security/cve/CVE-2007-1285	2007-04-20
https://bugzilla.redhat.com/show_bug.cgi?id=1618296	2007-04-20

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				>= 4.0.0 < 4.4.7 Search vendor "Php" for product "Php" and version " >= 4.0.0 < 4.4.7"		-		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				>= 5.0.0 < 5.2.2 Search vendor "Php" for product "Php" and version " >= 5.0.0 < 5.2.2"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				7.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "7.10"		-		Affected
Novell Search vendor "Novell"		Suse Linux Search vendor "Novell" for product "Suse Linux"				10.0 Search vendor "Novell" for product "Suse Linux" and version "10.0"		-		Affected
Novell Search vendor "Novell"		Suse Linux Search vendor "Novell" for product "Suse Linux"				10.1 Search vendor "Novell" for product "Suse Linux" and version "10.1"		-		Affected
Suse Search vendor "Suse"		Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server"				8 Search vendor "Suse" for product "Linux Enterprise Server" and version "8"		-		Affected
Suse Search vendor "Suse"		Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server"				10 Search vendor "Suse" for product "Linux Enterprise Server" and version "10"		sp1		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				3.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "3.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				4.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "4.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				2.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "2.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				3.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "3.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				4.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "4.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				2.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "2.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				3.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "3.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				4.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "4.0"		-		Affected