A newly discovered critical security flaw in PHP poses a significant risk, potentially allowing remote code execution under certain conditions.
This vulnerability, designated as CVE-2024-4577, is identified as a CGI argument injection flaw that impacts all PHP versions installed on Windows systems.
DEVCORE security researcher Orange Tsai explains that the flaw circumvents existing protections established for a previous vulnerability, CVE-2012-1823.
“When implementing PHP, the development team overlooked the Best-Fit feature of encoding conversion within the Windows OS,” Tsai elaborated.
“This oversight permits unauthenticated attackers to bypass the CVE-2012-1823 safeguards using specific character sequences, enabling arbitrary code execution on remote PHP servers via argument injection.”
After responsible disclosure on May 7, 2024, a fix has been released in PHP versions 8.3.8, 8.2.20, and 8.1.29 to address the issue.
DEVCORE has cautioned that all XAMPP installations on Windows are inherently vulnerable when configured to use locales for Traditional Chinese, Simplified Chinese, or Japanese.
The Taiwanese firm advises administrators to transition away from the outdated PHP CGI and adopt more secure solutions like Mod-PHP, FastCGI, or PHP-FPM.
“This vulnerability is remarkably simple, yet intriguing,” Tsai remarked. “Who would have anticipated that a patch, considered secure for over a decade, could be circumvented due to a minor Windows feature?”
The Shadowserver Foundation reported on X that it detected exploitation attempts targeting the flaw against its honeypot servers within 24 hours of public disclosure.
watchTowr Labs confirmed that it developed an exploit for CVE-2024-4577, successfully achieving remote code execution, underscoring the urgency for users to apply the latest patches promptly.
“A severe bug with a straightforward exploit,” commented security researcher Aliz Hammond.
“Those operating under an affected configuration with the specified locales – Chinese (simplified or traditional) or Japanese – should act swiftly to mitigate the risk, as the simplicity of the exploit increases the likelihood of widespread abuse.”
