CVE-2024-4577: Everything you need to know about PHP CGI Argument Injection vulnerability

By
Neda Ali
Published on
10 Jun 2024
6 min read
Vulnerability

On June 6th, 2024, a critical vulnerability identified as CVE-2024-4577 was disclosed, sending ripples through the PHP development community.

This newly discovered flaw is a Remote Code Execution (RCE) within PHP. It poses significant risks, potentially allowing malicious actors to execute arbitrary code on vulnerable servers.

The vulnerability underscores the importance of immediate attention and action from PHP developers and system administrators to secure their environments.

Given the pervasive use of PHP in web development, this security breach has widespread implications, emphasizing the need for robust security practices and timely updates to safeguard against such critical exploits.

What is PHP CGI Argument Injection vulnerability (CVE-2024-4577)?

CVE-2024-4577 is a patch bypass of CVE-2012-1823.

CVE-2012-1823 was patched in PHP versions 5.13.12 and 5.4.2 on May 3, 2012, and at the time was noted to be a vulnerability that has gone unnoticed for at least 8 years. The vulnerability was originally discovered during a capture the flag (CTF) event in 2012.

A variety of exploit scripts exist for CVE-2012-1823 and it has been in the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) list since March 25, 2022.

Analysis of PHP CGI Argument Injection vulnerability (CVE -2024-4577)

CVE-2024-4577 is a severe argument injection vulnerability in PHP that can be exploited for Remote Code Execution (RCE).

Researchers have identified that this flaw stems from errors in character encoding conversions, particularly impacting the “Best Fit” feature on Windows systems.

The team has highlighted two scenarios to help administrators assess whether their servers are at risk.

  • Scenario 1: PHP running with CGI mode enabled

The first scenario involves PHP running with CGI mode enabled. PHP documentation warns that CGI mode can be hazardous, as it exposes servers to various vulnerabilities.

  • Scenario 2: Making the PHP binary accessible

The second scenario concerns a PHP installation where the PHP binary is accessible via a web directory. XAMPP, a widely used PHP development environment, exposes the PHP binary by default, potentially affecting numerous systems across the internet.

What is the impact of PHP CGI Argument Injection vulnerability (CVE-2024-4577)?

PHP CGI Argument Injection vulnerability (CVE-2024-4577) impacts all PHP versions installed on the Windows operating system. The affected versions are listed below:

  • PHP 8.3 < 8.3.8

  • PHP 8.2 < 8.2.20

  • PHP 8.1 < 8.1.29

Am I vulnerable to PHP CGI Argument Injection vulnerability (CVE-2024-4577)?

For common setups such as Apache HTTP server with PHP, server administrators can use the two methods outlined above to determine vulnerability status.

It’s important to note that Scenario 2, which involves the PHP binary being exposed in a web-accessible directory, is the default configuration for XAMPP on Windows, making all XAMPP installations on Windows vulnerable by default.

As of now, it has been confirmed that an unauthorized attacker can execute arbitrary code on remote servers running Windows in the following locales:

  • Traditional Chinese (Code Page 950)

  • Simplified Chinese (Code Page 936)

  • Japanese (Code Page 932)

For Windows running in other locales such as English, Korean, and Western European, the diverse range of PHP usage scenarios makes it difficult to enumerate and eliminate all potential exploitation avenues.

Therefore, it is recommended that users perform a thorough asset assessment, verify their usage scenarios, and update PHP to the latest version to ensure security.

To ensure your PHP installation is secure and to detect the presence of PHP CGI (CVE-2024-4577) vulnerability, you can now run a security test using Beagle Security.

How can you mitigate this vulnerability?

It is strongly recommended that all users upgrade to the latest PHP versions: 8.3.8, 8.2.20, and 8.1.29. For systems that cannot be upgraded immediately, the following instructions provide temporary mitigation for the vulnerability.

However, since PHP CGI is an outdated and problematic architecture, it is advisable to consider migrating to more secure architectures such as Mod-PHP, FastCGI, or PHP-FPM.

  • For users who cannot upgrade PHP: The following Rewrite Rules can be applied to block attacks. These rules are only a temporary mitigation for Traditional Chinese, Simplified Chinese, and Japanese locales. Updating to a patched version or migrating to a more secure architecture is still recommended.
RewriteEngine On 
RewriteCond %{QUERY_STRING} ^%ad [NC] 
RewriteRule .? - [F,L]
  • For users who use XAMPP for Windows: XAMPP has not yet released update files for this vulnerability. If you do not require the PHP CGI feature, you can mitigate the vulnerability by modifying the Apache HTTP Server configuration:

Edit the file: C:/xampp/apache/conf/extra/httpd-xampp.conf

Locate the following lines:

ScriptAlias /php-cgi/ "C:/xampp/php/"

Comment out the lines:

# ScriptAlias /php-cgi/ "C:/xampp/php/"

Sequence of events

  • 2024/05/07: The issue was reported through the official PHP vulnerability disclosure page.

  • 2024/05/07: PHP developers confirmed the vulnerability and stressed the need for a prompt fix.

  • 2024/05/16: PHP developers released the first version of the fix and requested feedback.

  • 2024/05/18: PHP developers released the second version of the fix and requested feedback.

  • 2024/05/20: PHP began preparing for the new version release.

  • 2024/06/06: PHP released new versions 8.3.8, 8.2.20, and 8.1.29.

Summing up

The discovery of the CVE-2024-4577 vulnerability underscores the critical importance of maintaining vigilant security practices within the PHP development community.

This argument injection flaw, which can lead to remote code execution, particularly affects PHP installations on Windows systems through character encoding conversion errors.

Given its potential to compromise many servers, developers and system administrators must promptly upgrade to the latest PHP versions (8.3.8, 8.2.20, and 8.1.29) to mitigate this threat.

For environments where immediate upgrading is not feasible, temporary mitigation measures such as applying Rewrite Rules and modifying server configurations are essential stopgaps. However, these are not long-term solutions, and transitioning to more secure architectures like Mod-PHP, FastCGI, or PHP-FPM should be a priority.

As with any significant vulnerability, proactive measures, continuous monitoring, and regular updates are vital in safeguarding against potential exploits. The CVE-2024-4577 incident serves as a reminder of the ever-evolving landscape of cybersecurity threats and the ongoing need for robust defenses to protect our digital infrastructure.


Written by
Neda Ali
Neda Ali
Product Marketing Specialist
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days