Critical PHP on Windows Vulnerability (CVE-2024-4577)
Vulnerability
Critical code execution vulnerability has been found in PHP running on Windows through Apache CGI or XAMP. The issue stems from the way PHP converts unicode characters into ASCII on Windows using the Best Fit feature from a very old vulnerability (CVE-2012-1823). It's possible to exploit this issue via an argument injection to pass user-supplied input into commands which is then executed by PHP.
Vulnerable Versions
This vulnerability affects all versions of PHP installed on the Windows operating system.
- PHP 8.3 < 8.3.8
- PHP 8.2 < 8.2.20
- PHP 8.1 < 8.1.29
Branches of PHP 8.0, PHP 7, and PHP 5 are End-of-Life, and are no longer maintained anymore, but see below on the suggested mitigation.
Remediation
Update PHP; updated versions of PHP 8.3, 8.2, and 8.1 were released on June 6.
Apache:
If your major version of PHP has not been updated this can be mitigated in Apache by not using PHP-CGI, seek to use mod-PHP or PHP-FPM instead. Look for:
AddHandler cgi-script .php
Action cgi-script "/cgi-bin/php-cgi.exe"
Or
SetHandler application/x-httpd-php-cgi
XAMPP:
Make sure the PHP binary is not exposed in CGI directory (as per the default setup) either by being present in the directory or by using ScriptAlias
If you're unsure of how to check if your PHP version is vulnerable, take a look at our web app pen testing or API penetration testing UK.