Researchers have discovered a serious remote code execution vulnerability affecting PHP installations. As observed, this RCE flaw threatens Windows systems, thus requiring an immediate patch with the latest PHP versions.
A Simple PHP RCE Flaw Poses Severe Threat to Windows Servers
Sharing the details in a blog post, DEVCORE researchers warned users of the remote code execution (RCE) flaw in PHP that risks Windows servers.
The vulnerability is basically a bypass for a previously patched flaw, CVE-2012-1823. First reported in 2012, this 12-year-old vulnerability affected the PHP-CGI query string parameter. An unauthenticated adversary could exploit the flaw for various malicious purposes, including triggering a denial of service, viewing source code, and executing arbitrary codes. Describing the vulnerability, the advisory read,
When PHP is used in a CGI-based setup (such as Apache’s mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution.
Upon discovery and bug report, the vulnerability received a fix with PHP versions 5.4.3 and 5.3.13.
However, after over a decade, DEVCORE researchers found that bypassing the patch remains possible, allowing RCE attacks. This bypass became possible due to Windows’ Best-Fit feature of encoding conversion. An adversary could enter specific character sequences to execute arbitrary codes via argument injection attack.
While DEVCORE researchers haven’t shared more details, watchTowr’s blog post elaborates on it alongside sharing the exploit. They even called it a “nasty bug with a very simple exploit.”
Patch Your Systems Now
The new vulnerability, CVE-2024-4577, affects almost all existing PHP versions, receiving a fix with PHP versions 8.3.8, 8.2.20, and 8.1.29, respectively. Typically, the researchers found Windows-based PHP installations running in the Chinese (traditional and simplified) and Japanese locales and all XAMPP installations vulnerable. Nonetheless, they believe that the flaw might also impact other locales.
Hence, users running PHP versions 8.3.x, 8.2.x, and 8.1.x earlier than the patched releases must upgrade their systems immediately to receive the fix. Besides, where an immediate system upgrade isn’t feasible, researchers advise users to deploy mitigations described in their advisory.
Let us know your thoughts in the comments.