Product & Solutions
Resources
FREE TOOLS
Website Security Assessment SSL Certificate Checker Domain Expiry Checker HELP AND SUPPORT
Help Center Developer HubCompany
On June 6th, 2024, a critical vulnerability identified as CVE-2024-4577 was disclosed, sending ripples through the PHP development community.
This newly discovered flaw is a Remote Code Execution (RCE) within PHP. It poses significant risks, potentially allowing malicious actors to execute arbitrary code on vulnerable servers.
The vulnerability underscores the importance of immediate attention and action from PHP developers and system administrators to secure their environments.
Given the pervasive use of PHP in web development, this security breach has widespread implications, emphasizing the need for robust security practices and timely updates to safeguard against such critical exploits.
CVE-2024-4577 is a patch bypass of CVE-2012-1823.
CVE-2012-1823 was patched in PHP versions 5.13.12 and 5.4.2 on May 3, 2012, and at the time was noted to be a vulnerability that has gone unnoticed for at least 8 years. The vulnerability was originally discovered during a capture the flag (CTF) event in 2012.
A variety of exploit scripts exist for CVE-2012-1823 and it has been in the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) list since March 25, 2022.
CVE-2024-4577 is a severe argument injection vulnerability in PHP that can be exploited for Remote Code Execution (RCE).
Researchers have identified that this flaw stems from errors in character encoding conversions, particularly impacting the “Best Fit” feature on Windows systems.
The team has highlighted two scenarios to help administrators assess whether their servers are at risk.
The first scenario involves PHP running with CGI mode enabled. PHP documentation warns that CGI mode can be hazardous, as it exposes servers to various vulnerabilities.
The second scenario concerns a PHP installation where the PHP binary is accessible via a web directory. XAMPP, a widely used PHP development environment, exposes the PHP binary by default, potentially affecting numerous systems across the internet.
PHP CGI Argument Injection vulnerability (CVE-2024-4577) impacts all PHP versions installed on the Windows operating system. The affected versions are listed below:
PHP 8.3 < 8.3.8
PHP 8.2 < 8.2.20
PHP 8.1 < 8.1.29
For common setups such as Apache HTTP server with PHP, server administrators can use the two methods outlined above to determine vulnerability status.
It’s important to note that Scenario 2, which involves the PHP binary being exposed in a web-accessible directory, is the default configuration for XAMPP on Windows, making all XAMPP installations on Windows vulnerable by default.
As of now, it has been confirmed that an unauthorized attacker can execute arbitrary code on remote servers running Windows in the following locales:
Traditional Chinese (Code Page 950)
Simplified Chinese (Code Page 936)
Japanese (Code Page 932)
For Windows running in other locales such as English, Korean, and Western European, the diverse range of PHP usage scenarios makes it difficult to enumerate and eliminate all potential exploitation avenues.
Therefore, it is recommended that users perform a thorough asset assessment, verify their usage scenarios, and update PHP to the latest version to ensure security.
To ensure your PHP installation is secure and to detect the presence of PHP CGI (CVE-2024-4577) vulnerability, you can now run a security test using Beagle Security.
It is strongly recommended that all users upgrade to the latest PHP versions: 8.3.8, 8.2.20, and 8.1.29. For systems that cannot be upgraded immediately, the following instructions provide temporary mitigation for the vulnerability.
However, since PHP CGI is an outdated and problematic architecture, it is advisable to consider migrating to more secure architectures such as Mod-PHP, FastCGI, or PHP-FPM.
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? - [F,L]
Edit the file: C:/xampp/apache/conf/extra/httpd-xampp.conf
Locate the following lines:
ScriptAlias /php-cgi/ "C:/xampp/php/"
Comment out the lines:
# ScriptAlias /php-cgi/ "C:/xampp/php/"
2024/05/07: The issue was reported through the official PHP vulnerability disclosure page.
2024/05/07: PHP developers confirmed the vulnerability and stressed the need for a prompt fix.
2024/05/16: PHP developers released the first version of the fix and requested feedback.
2024/05/18: PHP developers released the second version of the fix and requested feedback.
2024/05/20: PHP began preparing for the new version release.
2024/06/06: PHP released new versions 8.3.8, 8.2.20, and 8.1.29.
The discovery of the CVE-2024-4577 vulnerability underscores the critical importance of maintaining vigilant security practices within the PHP development community.
This argument injection flaw, which can lead to remote code execution, particularly affects PHP installations on Windows systems through character encoding conversion errors.
The discovery of the CVE-2024-4577 vulnerability underscores the critical importance of maintaining vigilant security practices within the PHP development community. This argument injection flaw, which can lead to remote code execution, particularly affects PHP installations on Windows systems through character encoding conversion errors.
Given its potential to compromise many servers, developers and system administrators must promptly upgrade to the latest PHP versions (8.3.8, 8.2.20, and 8.1.29) to mitigate this threat.
For environments where immediate upgrading is not feasible, temporary mitigation measures such as applying Rewrite Rules and modifying server configurations are essential stopgaps. However, these are not long-term solutions, and transitioning to more secure architectures like Mod-PHP, FastCGI, or PHP-FPM should be a priority.
As with any significant vulnerability, proactive measures, continuous monitoring, and regular updates are vital in safeguarding against potential exploits. The CVE-2024-4577 incident serves as a reminder of the ever-evolving landscape of cybersecurity threats and the ongoing need for robust defenses to protect our digital infrastructure.
