PHP code could be easily exploited to let hackers target Windows servers

10 June 2024, 18:16 published

Cybersecurity researchers have discovered a new vulnerability in PHP which could allow hackers to run malicious code remotely.

The vulnerability is tracked as CVE-2’24-4577, and is described as a CGI argument injection vulnerability. At press time, it did not have a severity score assigned, but we do know that it affects all versions of PHP installed on the Windows operating system, and it was introduced when the team tried to patch a different flaw.

As the researchers from DEVCORE explained, the vulnerability was introduced when patching CVE-2012-1823: “While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system,” they explained. “This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.”

Applying the patch

A fix has since been made available, and the earliest fixed versions include 8.3.8, 8.2.20, and 8.1.29. Users are advised to apply the patch immediately, since there is evidence of threat actors scanning the internet for vulnerable endpoints.

As reported by The Hacker News, the Shadowserver Foundation has already seen hackers probing endpoints for the vulnerability: “Attention! We see multiple IPs testing PHP/PHP-CGI CVE-2024-4577 (Argument Injection Vulnerability) against our honeypot sensors starting today, June 7th,” the non-profit said on X. “Vulnerability affects PHP running on Windows.”

DEVCORE further stated that all XAMPP installations on Windows are vulnerable by default, when they are set up to use the locales for Traditional Chinese, Simplified Chinese, or Japanese. Thus, admins should replace outdated PHP CGI with something like Mod-PHP, FastCGI, or PHP-FPM:

“This vulnerability is incredibly simple, but that’s also what makes it interesting,” the researchers said. “Who would have thought that a patch, which has been reviewed and proven secure for the past 12 years, could be bypassed due to a minor Windows feature?”