You can now find Cyber Kendra on Google News!

Critical PHP Flaw Allows Remote Code Execution on Windows Servers

A serious vulnerability has been disclosed in PHP that could allow remote code execution on web servers running the popular scripting language on Windows operating systems. The flaw, assigned CVE-2024-4577, stems from an argument injection bug in the way PHP handles certain character encodings.

The vulnerability was discovered by security researcher Orange Tsai from DEVCORE and has been described as a "bypass" of protections for a previous PHP vulnerability from 2012 known as CVE-2012-1823.

According to DEVCORE researcher Orange Tsai, a failure by PHP developers to account for the "Best-Fit" character encoding feature in Windows introduced a new risk.

"This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences," Tsai explained in DEVCORE's advisory. "Arbitrary code can be executed on remote PHP servers through the argument injection attack."

The flaw specifically impacts PHP installations configured to use locales for Chinese (both Traditional and Simplified) or Japanese character sets. This includes XAMPP development environments on Windows which are vulnerable by default when using those locales.

Patches have been released in the latest versions 8.3.8, 8.2.20, and 8.1.29 of PHP to address CVE-2024-4577. However, DEVCORE urges administrators to abandon the outdated PHP CGI interface entirely and adopt more secure options like Mod-PHP, FastCGI or PHP-FPM.

"This vulnerability is incredibly simple, but that's also what makes it interesting," said Tsai. "Who would have thought that a patch which has been reviewed and proven secure for the past 12 years, could be bypassed due to a minor Windows feature?"

WatchTower Labs confirmed they were able to gain remote code execution via CVE-2024-4577, labelling it a "nasty bug with a very simple exploit."

With PHP powering over 77% (approx) of websites globally, affected configurations under one of the affected locales – Chinese (simplified, or traditional) or Japanese – are urged to do this as fast as humanely possible.

Organizations and hosting providers are being advised to act swiftly to mitigate the remote code execution risk through patching or migration away from vulnerable PHP CGI environments.

Post a Comment