A new critical remote code execution (RCE) vulnerability has been discovered in PHP, affecting all versions affects all PHP versions PHP since 5.x that are installed on MS Windows operating systems. The new vulnerability is impacting a massive number of servers worldwide vulnerable to remote code execution (RCE) attacks.
The new security, now tracked as CVE-2024-4577, was discovered by Devcore Principal Security Researcher Orange Tsai and he reported the issue to the PHP developers. The new vulnerability is abusing PHP’s handling of character encoding conversions, specifically the ‘Best-Fit’ feature on Windows when PHP is used in CGI mode.
CVE-2024-4577 Exploits
Multiple proof-of-concept (POC) exploits that can be used to exploit CVE-2024-4577 are now publicly available on GitHub
CVE-2024-4577 Flaw
The CVE-2024-4577 flaw is caused by how PHP is handling character encoding conversions, this issue is affecting ‘Best-Fit’ feature on Windows when PHP is used in CGI mode. This will allows remote unauthenticated attackers to bypass execute arbitrary code on remote PHP servers through the argument injection attack.
The flaw is particularly severe, as it can be exploited even if PHP is not configured in CGI mode, as long as the PHP executables are in directories accessible by the web server. This means that all XAMPP installations on Windows are likely vulnerable by default.
How to fix CVE-2024-4577?
To fix this critical vulnerability, it is recommended to:
Upgrade to the latest supported PHP versions that have proper patches: PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29.
Apply a mod_rewrite rule to block attacks, like the following:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? – [F,L]If you are using XAMPP, comment out the ‘ScriptAlias‘ directive in the Apache configuration file (usually located at ‘C:/xampp/apache/conf/extra/httpd-xampp.conf‘) and disable the PHP CGI feature.
Consider migrating from CGI to more secure alternatives, like FastCGI, PHP-FPM, and Mod-PHP.
