Administrators are being advised to update their systems following the disclosure of a critical vulnerability in PHP.
The PHP 8.3.8 updates a potential remote takeover vulnerability in the popular scripting tool. Listed as CVE-2024-4577, the flaw occurs when a server or PC is running in certain configurations that expose CGI.
According to Orange Tsai, the Devcore researcher credited with discovering CVE-2024-4577, the vulnerability is actually a recurrence of an argument injection bug that was patched more than a decade ago.
“While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system,” Tsai explained.
“This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences.”
Tsai said that, in practice, this means that when PHP is configured to allow certain types of CGI interaction, arbitrary arguments can be injected remotely. This, in turn, would allow the attacker to trigger code execution on the targeted server and take complete control.
Unfortunately, whether a machine is vulnerable to the attack scenario can be hard to figure out. While Windows systems running Japanese, traditional Chinese, or simplified Chinese are all presumed to be vulnerable, the danger for other systems depends on whether CGI mode is enabled or the PHP binary is exposed.
“For Windows running in other locales such as English, Korean, and Western European, due to the wide range of PHP usage scenarios, it is currently not possible to completely enumerate and eliminate all potential exploitation scenarios,” Tsai explained.
Because assessing whether a system is vulnerable can be so tricky, the researcher recommends simply updating the PHP installation to the latest version, 8.3.8.
Additionally, Tsai recommended that administrators consider moving away from CGI altogether and opting for a more modern solution such as Mod-PHP, FastCGI, or PHP-FPM.
CVE-2024-4577 is not the only serious PHP flaw currently posing a threat. It has also been confirmed that a pair of older PHP vulnerabilites are also being targeted in the wild. In each case, the flaws can be resolved with a quick update.
