Critical PHP Vulnerability Exposes Servers to Remote Code Execution

DEVCORE has identified a severe remote code execution vulnerability in PHP, impacting all versions of the language on Windows systems. The vulnerability, tracked as CVE-2024-4577, was patched on June 6, 2024.

Discovery and disclosure

The DEVCORE offensive research team discovered this critical vulnerability while examining PHP's integration with Windows' encoding conversion feature. The flaw allows unauthenticated attackers to bypass existing protections (specifically CVE-2012-1823) using specific character sequences, facilitating arbitrary code execution on affected servers. DEVCORE reported the issue to the PHP official team on May 7, 2024, who acknowledged its severity and worked swiftly to develop and release a patch.

Technical details and impact

The vulnerability stems from an oversight in PHP's implementation, particularly its handling of the Best-Fit feature during encoding conversion on Windows. This flaw permits argument injection attacks, compromising server security. The affected PHP versions include:

• PHP 8.3 versions below 8.3.8
• PHP 8.2 versions below 8.2.20
• PHP 8.1 versions below 8.1.29

Notably, older PHP branches (8.0, 7.x, 5.x) are end-of-life and remain unmaintained, increasing the risk for systems still running these versions.

Servers running PHP under CGI mode or exposing the PHP binary are particularly at risk. Commonly affected configurations include:

• Mapping HTTP requests to PHP-CGI executables in Apache configurations.
• XAMPP for Windows, which by default exposes the PHP executable binary.

DEVCORE has verified the vulnerability's exploitation in Windows locales using Traditional Chinese (Code Page 950), Simplified Chinese (Code Page 936), and Japanese (Code Page 932). For other locales, including English, Korean, and Western European, a comprehensive asset assessment is recommended due to the varied PHP usage scenarios.

⚠️⚠️ CVE-2024-4577: PHP CGI Argument Injection
This vulnerability affects XAMPP for Windows by default.

🎯610K+ Results are found on the https://t.co/pb16tGYaKe nearly year.

FOFA Link🔗: https://t.co/nTtAMs2jWV

FOFA Query: app="XAMPP"

PHP overlooked the Best-Fit character… pic.twitter.com/ihUlGgEsJg

— FofaBot (@fofabot) June 7, 2024

Mitigation measures

Upgrading to the latest PHP versions (8.3.8, 8.2.20, 8.1.29) is strongly recommended. For systems that cannot be immediately upgraded, temporary mitigation involves implementing specific Apache Rewrite Rules to block attack vectors, particularly in locales identified as vulnerable.

For users of XAMPP for Windows, commenting out the ScriptAlias /php-cgi/”C:/xampp/php/” line in the Apache configuration file can mitigate exposure.

Server administrators should:

• Ensure PHP is updated to versions 8.3.8, 8.2.20, or 8.1.29.
• Conduct a thorough review of PHP configurations, especially for servers using CGI mode or exposing PHP binaries.
• Use recommended Rewrite Rules if immediate upgrades are not feasible.
• Evaluate migrating to more secure PHP execution architectures like Mod-PHP, FastCGI, or PHP-FPM.