Researchers at cybersecurity firm DEVCORE have identified a critical remote code execution (RCE) vulnerability, designated as CVE-2024-4577, in the PHP programming language. This flaw, which affects PHP version 5.x and earlier, has the potential to impact millions of servers globally, enabling unauthenticated attackers to take full control of the compromised systems.
Description
During the implementation of PHP, the team overlooked the Best-Fit feature of encoding conversion in the Windows operating system. This oversight enables unauthenticated attackers to bypass the protections established for CVE-2012-1823 by using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers through an argument injection attack.
Impact
This vulnerability impacts all versions of PHP installed on the Windows operating system. Please see the table below for more details:
- PHP 8.3 < 8.3.8
- PHP 8.2 < 8.2.20
- PHP 8.1 < 8.1.29
Since the PHP 8.0, PHP 7, and PHP 5 branches are End-of-Life and no longer maintained, server administrators can refer to the Am I Vulnerable section and find temporary patch recommendations in the Mitigation Measures section.
Am I Vulnerable?
For typical setups combining Apache HTTP Server and PHP, server administrators can use the two methods outlined in this article to determine if their servers are vulnerable. Notably, Scenario-2 is the default configuration for XAMPP on Windows, meaning all versions of XAMPP installations on Windows are vulnerable by default.
As of this writing, it has been confirmed that when Windows is operating in the following locales, an unauthorized attacker can directly execute arbitrary code on the remote server:
- Traditional Chinese (Code Page 950)
- Simplified Chinese (Code Page 936)
- Japanese (Code Page 932)
For Windows running in other locales, such as English, Korean, and Western European, the diverse range of PHP usage scenarios makes it difficult to fully enumerate and eliminate all potential exploitation scenarios. Therefore, users are advised to conduct a thorough asset assessment, verify their usage scenarios, and update PHP to the latest version to ensure security.
Running PHP under CGI mode
This vulnerability can be directly exploited when configuring the Action directive in Apache HTTP Server to map corresponding HTTP requests to a PHP-CGI executable binary.
Common vulnerable configuration include:
AddHandler cgi-script .php
Action cgi-script "/cgi-bin/php-cgi.exe"Code language: Apache (apache)<FilesMatch "\.php$">
SetHandler application/x-httpd-php-cgi
</FilesMatch>
Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"Code language: Apache (apache)Exposing the PHP binary
Even if PHP is not configured in CGI mode, simply having the PHP executable binary exposed in the CGI directory makes it vulnerable.
Common scenarios include:
- Copying
php.exeorphp-cgi.exeto the/cgi-bin/directory - Exposing the PHP directory via
ScriptAliasdirective, such as:
ScriptAlias /php-cgi/ "C:/xampp/php/"Code language: Apache (apache)Mitigation Measures
We strongly advise all users to upgrade to the latest PHP versions: 8.3.8, 8.2.20, and 8.1.29. For systems that cannot be immediately upgraded, the following instructions can be used to temporarily mitigate the vulnerability.
Nevertheless, given that PHP CGI is outdated and poses security risks, we recommend evaluating the feasibility of migrating to more secure architectures such as Mod-PHP, FastCGI, or PHP-FPM.
For users who cannot upgrade PHP, it’s recommended to create the following Rewrite Rules to block the attack. Please be aware that these rules provide only temporary mitigation for Traditional Chinese, Simplified Chinese, and Japanese locales. It is still advisable to update to a patched version or consider migrating to a more secure architecture as a permanent solution.
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? - [F,L]Code language: Apache (apache)For users who use XAMPP for Windows it is recommended to disable the PHP CGI feature, to avoid exposure to the vulnerability. As of writing this article XAMPP has not yet released update for this vulnerability.
In C:/xampp/apache/conf/extra/httpd-xampp.conf locate the following line:
ScriptAlias /php-cgi/ "C:/xampp/php/"Code language: Apache (apache)And comment it out:
<em># ScriptAlias /php-cgi/ "C:/xampp/php/"</em>Code language: Apache (apache)
EN 
BG