Researchers at DEVCORE found a serious vulnerability in PHP that could allow attackers to remotely execute malicious code on affected servers. Due to PHP’s widespread use and the simplicity of exploiting this flaw, DEVCORE classified it as critical and swiftly reported it to the PHP development team. A fix was released on June 6th, 2024. For more details about the disclosure timeline, please refer to the official resources.
_____________________________
A. Nature of the Vulnerability
CVE-2024-4577
- A flaw in PHP’s handling of encoding on Windows systems wasn’t addressed during development.
- This oversight allows attackers to bypass an earlier security fix (CVE-2012-1823) using specific characters.
- This vulnerability lets attackers potentially take control of vulnerable PHP servers (remote code execution).
_____________________________
B. Affected Version
| Versions | Affected Version |
| PHP 8.3 | < 8.3.8 |
| PHP 8.2 | < 8.2.20 |
| PHP 8.1 | < 8.1.29 |
Note: This vulnerability affects all versions of PHP installed on the Windows operating system. PHP versions 8.0, 7.x, and 5.x are no longer receiving official security updates because they’ve reached their end-of-life (EOL). This means they are vulnerable to known and unknown security exploits.
If you’re using one of these versions, visit the ○ https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/ to check your risk and may offer temporary workarounds.
_____________________________
C. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Kindly review and apply the necessary updates/workaround to mitigate future threats.
- For additional information, kindly refer to the official report.
https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/