#VU110451 Input validation error in PHP - CVE-2007-1380


| Updated: 2025-06-12

Vulnerability identifier: #VU110451

Vulnerability risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2007-1380

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PHP: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.1, 4.1.1, 4.1.2, 4.2, 4.2.1, 4.2.2, 4.2.3, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.3.10, 4.3.11, 4.4, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 5, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.2

External links
https://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01056506
https://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01086137
https://lists.suse.com/archive/suse-security-announce/2007-Mar/0003.html
https://secunia.com/advisories/24514
https://secunia.com/advisories/24606
https://secunia.com/advisories/25025
https://secunia.com/advisories/25056
https://secunia.com/advisories/25057
https://secunia.com/advisories/25062
https://secunia.com/advisories/25423
https://secunia.com/advisories/25850
https://security.gentoo.org/glsa/glsa-200703-21.xml
https://www.debian.org/security/2007/dsa-1282
https://www.debian.org/security/2007/dsa-1283
https://www.novell.com/linux/security/advisories/2007_32_php.html
https://www.php-security.org/MOPB/MOPB-10-2007.html
https://www.securityfocus.com/bid/22805
https://www.ubuntu.com/usn/usn-455-1
https://www.vupen.com/english/advisories/2007/1991
https://www.vupen.com/english/advisories/2007/2374
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10792
https://www.exploit-db.com/exploits/3413

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Multiple vulnerabilities in PHP
Gentoo update for PHP