Cybersecurity researchers have discovered a new vulnerability in PHP that could allow hackers to remotely execute malicious code.
The vulnerability is tracked as CVE-2’24-4577 and is described as a CGI argument injection vulnerability. At the time of writing, it had not yet been assigned a severity rating, but we do know that it affects all versions of PHP installed on the Windows operating system, and was introduced when the team was trying to fix another bug .
As the DEVCORE researchers explained, the vulnerability was introduced when patching CVE-2012-1823: “During the implementation of PHP, the team did not notice the Best-Fit feature of encryption conversion within the Windows operating system,” they explained . “This monitoring allows unauthenticated attackers to bypass the previous protections of CVE-2012-1823 through specific strings. The argument injection attack can allow arbitrary code execution on remote PHP servers.”
Applying the plaster
A fix has since become available, and the first fixed versions include 8.3.8, 8.2.20, and 8.1.29. Users are advised to apply the patch immediately as there is evidence of threat actors scanning the internet for vulnerable endpoints.
As reported by The hacker newsthe Shadowserver Foundation has already seen how hackers examine endpoints for vulnerabilities: “Pay attention! We are seeing multiple IPs testing PHP/PHP-CGI CVE-2024-4577 (argument injection vulnerability) on our honeypot sensors as of today, June 7,” the non-profit said on X. “Vulnerability affects PHP running on Windows.”
DEVCORE further stated that all XAMPP installations on Windows are vulnerable by default, when set to use Traditional Chinese, Simplified Chinese, or Japanese locales. So administrators should replace outdated PHP CGI with something like Mod-PHP, FastCGI or PHP-FPM:
“This vulnerability is incredibly simple, but that’s what makes it interesting,” the researchers said. “Who would have thought that a patch that has been reviewed and proven secure over the past twelve years could be bypassed because of a minor Windows feature?”