Critical PHP Vulnerability (CVE-2024-4577) Allows Unauthenticated Code Execution on Windows Systems

United States of America
Affected versions: 8.3 prior to 8.3.8, 8.2 prior to 8.2.20, and 8.1 prior to 8.1.29.
CVE-2024-4577 is a critical PHP vulnerability that allows unauthenticated code execution on Windows systems.
Researchers have observed scanning activity targeting this bug.
Vulnerable when PHP is running in CGI mode or the PHP binary is exposed in a CGI directory.
Critical PHP Vulnerability (CVE-2024-4577) Allows Unauthenticated Code Execution on Windows Systems

A critical vulnerability in PHP, identified as CVE-2024-4577, has been disclosed and requires system administrators to update their PHP installations on all Windows systems. The flaw allows unauthenticated attackers to trigger code execution on targeted servers and take complete control when PHP is configured to allow certain types of CGI interaction or the PHP binary is exposed.

The vulnerability occurs due to an oversight in encoding conversion within the Windows operating system that allows specific character sequences to bypass previous protection. Systems running Japanese, traditional Chinese, or simplified Chinese are presumed to be vulnerable. For other systems, vulnerability depends on whether CGI mode is enabled.

Researchers from Devcore and Shadowserver Foundation have reported observing scanning activity targeting this bug. Attackers can exploit the vulnerability in two specific scenarios: when PHP is running in CGI mode or when the PHP binary is exposed in CGI directory (the default mode for XAMPP).

The flaw is a recurrence of an argument injection bug that was patched more than a decade ago. It affects all versions of PHP on Windows, including version branches 8.3 prior to 8.3.8, 8.2 prior to 8.2.20, and 8.1 prior to 8.1.29.

Administrators are advised to update their systems as soon as possible and consider moving away from CGI altogether and opting for a more modern solution such as Mod-PHP, FastCGI, or PHP-FPM.

Organizations that are running vulnerable versions of PHP should prioritize updating their systems to mitigate the risks associated with this vulnerability.



Confidence

90%

Doubts
  • Is the vulnerability limited to Japanese, traditional Chinese, and simplified Chinese systems?
  • What other methods can attackers use to exploit this vulnerability besides CGI mode and exposed PHP binaries?

Sources

81%

  • Unique Points
    • The vulnerability can be exploited when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server, making the XAMPP platform vulnerable by default.
    • The vulnerability was discovered by Devcore researcher Orange Tsai and affects all versions of PHP running on a Windows device, including version branches 8.3 prior to 8.3.8, 8.2 prior to 8.2.20, and 8.1 prior to 8.1.29.
    • Admins without the need for PHP CGI can mitigate the vulnerability by turning it off using the following Apache HTTP Server configuration: C:/xampp/apache/conf/extra/httpd-xampp.conf
  • Accuracy
    • The vulnerability can be exploited when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server.
    • The flaw is caused by an oversight in handling character encoding conversions on Windows when PHP is used in CGI mode.
    • Attackers can bypass previous protections of CVE-2012-1823 and execute arbitrary code on remote PHP servers through argument injection attacks.
  • Deception (30%)
    The article contains sensational language such as 'nasty bug with very simple exploit hits PHP just in time for the weekend' and 'No escape'. These statements are designed to grab the reader's attention and create a sense of urgency. The author also uses emotional manipulation by implying that admins who don't take action before the weekend could be responsible for security breaches on their servers. Additionally, there is selective reporting as the article only mentions the vulnerability in PHP when it runs in CGI mode and does not mention other ways it may be exploited.
    • It turns out that, as part of unicode processing, PHP will apply what’s known as a best fit mapping, and helpfully assume that, when the user entered a soft hyphen (0xAD), they actually intended to type a real hyphen (0x2D), and interpret it as such. Herein lies our vulnerability—if we supply a CGI handler with a soft hyphen (0xAD), the CGI handler won’t feel the need to escape it, and will pass it to PHP.
    • No escape Like many other languages, PHP converts certain types of user input to prevent it from being interpreted as a command for execution. This is a process known as escaping. For example, in HTML, the <u003C and </u003E characters are often escaped by converting them into their unicode hex value equivalents <u003C and </u003E to prevent them from being interpreted as HTML tags by a browser.
    • The bug is incredibly simple, but that’s also what makes it interesting.
    • WORST FIT EVER … perfect for a Friday afternoon,
  • Fallacies (85%)
    The author uses inflammatory rhetoric by describing the vulnerability as 'nasty bug with a very simple exploit' and 'perfect for a Friday afternoon'. This is an attempt to elicit an emotional response from the reader and may influence their perception of the severity of the issue.
    • ]Within 24 hours of the vulnerability and accompanying patch being published, researchers reported Internet scans designed to identify servers that are susceptible to attacks.[
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

99%

  • Unique Points
    • A new PHP for Windows remote code execution (RCE) vulnerability, tracked as CVE-2024-4577, has been disclosed and impacts all releases since version 5.x.
    • The flaw is caused by an oversight in handling character encoding conversions on Windows when PHP is used in CGI mode.
    • Attackers can bypass previous protections of CVE-2012-1823 and execute arbitrary code on remote PHP servers through argument injection attacks.
  • Accuracy
    No Contradictions at Time Of Publication
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (95%)
    The article contains an appeal to authority when it mentions the discovery and reporting of the vulnerability by Devcore Principal Security Researcher Orange Tsai. However, no formal fallacies or dichotomous depictions were found in the text.
    • ]A new PHP for Windows remote code execution (RCE) vulnerability has been disclosed[.
    • The CVE-2024-4577 flaw is caused by an oversight in handling character encoding conversions, specifically the 'Best-Fit' feature on Windows when PHP is used in CGI mode.[
    • Devcore Principal Security Researcher Orange Tsai discovered and reported the vulnerability to the PHP developers.[
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

99%

  • Unique Points
    • The flaw also affects all version of the XAMPP development environment installed on Windows.
    • The flaw is the result of an incomplete fix for a separate vulnerability from 2012.
    • Attackers can exploit the vulnerability in two specific scenarios: when PHP is running in CGI mode or when the PHP binary is exposed in CGI directory (the default mode for XAMPP).
    • Researchers from the Shadowserver Foundation have already observed scanning activity targeting this bug.
  • Accuracy
    • Updated versions of PHP 8.3, 8.2, and 8.1 were released on June 6.
    • XAMPP has not released an update for this flaw yet.
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (100%)
    None Found At Time Of Publication
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

100%

  • Unique Points
    • A critical vulnerability in PHP, identified as CVE-2024-4577, has been disclosed and requires system administrators to update their PHP installations.
    • The vulnerability allows unauthenticated attackers to trigger code execution on targeted servers and take complete control when PHP is configured to allow certain types of CGI interaction or the PHP binary is exposed.
    • The flaw occurs due to an oversight in encoding conversion within the Windows operating system that allows specific character sequences to bypass previous protection.
    • Windows systems running Japanese, traditional Chinese, or simplified Chinese are presumed to be vulnerable. For other systems, vulnerability depends on whether CGI mode is enabled.
  • Accuracy
    No Contradictions at Time Of Publication
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (100%)
    None Found At Time Of Publication
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

98%

  • Unique Points
    • CVE-2024-4577 is a critical vulnerability in PHP with an initial CVSS score of 9.8
    • This vulnerability allows for remote code execution due to improper input validation
    • Attackers can exploit this flaw to execute arbitrary code on affected servers, potentially compromising entire systems
    • Imperva Web Application Firewall protects against attack attempts trying to exploit CVE-2024-4577
    • Several thousands of attacks targeting US- and Brazil-based financial services, healthcare, and business sites have been seen so far
  • Accuracy
    • The bug has only been known to affect Windows-based PHP installations in Japanese and Chinese
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (100%)
    None Found At Time Of Publication
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication