Information has surfaced regarding a recent critical vulnerability affecting PHP that could be leveraged to accomplish remote code execution in specific scenarios.
The flaw, known as CVE-2024-4577, is identified as a CGI parameter insertion vulnerability impacting all editions of PHP installed on the Windows OS.
As per DEVCORE security expert, this shortfall enables the bypassing of protections implemented for another security vulnerability, CVE-2012-1823.
“During the implementation of PHP, the team overlooked the Optimal-Fit characteristic of encoding conversion within the Windows OS,” mentioned security researcher Orange Tsai asserted.
“This negligence allows unauthenticated intruders to circumvent the previous safeguard of CVE-2012-1823 by employing specific character sequences. Malicious code can be executed on distant PHP servers via the argument insertion assault.”
After a responsible disclosure on May 7, 2024, a remedy for the vulnerability has been released in PHP versions 8.3.8, 8.2.20, and 8.1.29.
DEVCORE has cautioned that all XAMPP installations on Windows are vulnerable if configured to utilize the locales for Traditional Chinese, Simplified Chinese, or Japanese.
The Taiwanese firm is further suggesting that administrators transition away from the outdated PHP CGI and instead select a more secure solution like Mod-PHP, FastCGI, or PHP-FPM.
“This flaw is remarkably simple, but that’s also what renders it intriguing,” Tsai expressed. “Who would have speculated that a patch, which has been vetted and declared secure for the past 12 years, could be evaded due to a minor Windows feature?”
The Shadowserver Foundation, in a post shared on X, revealed that exploitation attempts leveraging the flaw against its honeypot servers were already detected within 24 hours of public disclosure.
watchTowr Labs mentioned that they successfully crafted an exploit for CVE-2024-4577 and achieved remote code execution, stressing the urgency for users to promptly apply the latest patches.
“A harmful glitch with an extremely straightforward exploit,” security expert Aliz Hammond conveyed.
“Those running in an affected setup under one of the impacted locales – Chinese (simplified, or traditional) or Japanese – are advised to act swiftly, as the glitch has a substantial likelihood of being broadly exploited due to the low exploit complexity.”
About Author
