A significant security flaw has been discovered in PHP, posing a risk of remote code execution on Windows servers.
The vulnerability, identified as CVE-2024-4577, affects all PHP versions on Windows and is categorized as a CGI argument injection flaw. According to the security researcher, this issue enables attackers to bypass protections established for a previous vulnerability, CVE-2012-1823.
During PHP implementation, the team overlooked the Best-Fit feature of encoding conversion in Windows, which allows unauthenticated attackers to bypass the prior protection using specific character sequences. This leads to arbitrary code execution on remote PHP servers through argument injection attacks.
After responsibly disclosing the vulnerability on May 7, 2024, PHP versions 8.3.8, 8.2.20, and 8.1.29 have received patches to address the flaw. DEVCORE has indicated that all XAMPP installations on Windows are vulnerable by default if configured to use Traditional Chinese, Simplified Chinese, or Japanese locales.
The Taiwanese firm advises administrators to abandon the outdated PHP CGI and adopt more secure solutions like Mod-PHP, FastCGI, or PHP-FPM.
The researcher reported detecting exploitation attempts against its honeypot servers within 24 hours of the public disclosure. Additionally, another researcher successfully developed an exploit for CVE-2024-4577, emphasizing the urgent need for users to apply the latest patches.
Security researcher warned, “This bug has a straightforward exploit, and those using affected configurations with Chinese or Japanese locales should patch immediately, as the bug is likely to be widely exploited due to its low complexity.”
To mitigate the risk posed by the PHP vulnerability (CVE-2024-4577), administrators should promptly update PHP to the latest patched versions. Avoid using outdated PHP CGI configurations, opting for more secure alternatives like Mod-PHP, FastCGI, or PHP-FPM. Implementing network segmentation and using web application firewalls can help protect against potential exploitation. Conduct regular security audits and vulnerability assessments to identify and address weaknesses in the system.
