Critical PHP Remote Code Execution Flaw let Attackers Inject Malicious Scripts

The widely used PHP programming language has been discovered with a new remote code execution vulnerability deemed critical severity.

Further, this vulnerability is related to a previously discovered and patched vulnerability, CVE-2012-1823, associated with arbitrary code execution.

EHA

However, PHP has patched this vulnerability as of June 6, 2024, and necessary security advisories have been released. This vulnerability affects multiple versions of PHP, including end-of-life versions such as PHP 5, PHP 7, and PHP 8.0.

PHP Remote Code Execution Flaw

According to the advisory shared, this vulnerability (CVE-2024-4577) exists due to an unnoticed flaw in the Best-Fit feature of encoding conversing within the Windows Operating System.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

This flaw allows threat actors to bypass the protection of CVE-2012-1823 and execute remote code via specific character sequences. Further, the arbitrary code is executed on the remote PHP server through an argument injection attack. 

To explain further, there are two scenarios of exploitation: running PHP under CGI mode and Exposing the PHP binary along with the default XAMPP configuration.

The first scenario of running PHP under CGI mode involves the configuring of the Action directive to map corresponding HTTP requests to a PHP-CGI executable binary in the Apache HTTP server.

This exploitation scenario is direct and affects common configurations, which includes 

AddHandler cgi-script .php
Action cgi-script “/cgi-bin/php-cgi.exe”
or 
<FilesMatch “\.php$”>
    SetHandler application/x-httpd-php-cgi
</FilesMatch>
Action application/x-httpd-php-cgi “/php-cgi/php-cgi.exe”

For the second scenario of exposing the PHP binary, even if the PHP is not configured with CGI mode, an exposed PHP binary executable in the CGI directory is vulnerable to exploitation. For this exploitation to take place, there are two conditions which make the exploitation possible.

  1. Copying the php.exe or php-cgi.exe file to the /cgi-bin/ directory.
  2. Exposing the PHP directory via ScriptAlias directive, such as:

ScriptAlias /php-cgi/ “C:/xampp/php/”

How To Fix It?

To fix this vulnerability, it is recommended that users upgrade their PHP versions to the latest versions like 8.3.8, 8.2.20, and 8.1.29, which will be vulnerable. If upgrading is not possible, two workarounds can be followed.

1. Cannot Upgrade PHP

The following rewrite rules can be used to block attacks.

RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? – [F,L]

2. Using XAMPP For Windows:

Since there is no official update file corresponding to this vulnerability, if there is no need for the PHP CGI feature, the Apache HTTP server configuration can be modified with the following configuration to avoid the exposure.

C:/xampp/apache/conf/extra/httpd-xampp.conf

Locating The Corresponding Lines:

ScriptAlias /php-cgi/ “C:/xampp/php/”

And comment it out:

# ScriptAlias /php-cgi/ “C:/xampp/php/”

PHP versions affected by this vulnerability include

  • PHP 8.3 < 8.3.8
  • PHP 8.2 < 8.2.20
  • PHP 8.1 < 8.1.29

and End of Life products like PHP 8.0, PHP 7, and PHP 5. 

Users of these PHP versions are recommended to upgrade to the latest PHP versions to prevent threat actors from exploiting this vulnerability.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.