Critical PHP Remote Code Execution Flaw let Attackers Inject Malicious Scripts

The broadly oldschool PHP programming language has been found with a brand unique far away code execution vulnerability deemed serious severity.

Extra, this vulnerability is linked to a beforehand found and patched vulnerability, CVE-2012-1823, linked with arbitrary code execution.

Alternatively, PHP has patched this vulnerability as of June 6, 2024, and critical security advisories had been released. This vulnerability impacts loads of variations of PHP, together with conclude-of-existence variations resembling PHP 5, PHP 7, and PHP 8.0.

PHP Faraway Code Execution Flaw

In line with the advisory shared, this vulnerability (CVE-2024-4577) exists attributable to an omitted flaw within the Finest-Match characteristic of encoding conversing during the Windows Working Gadget.

This flaw permits chance actors to bypass the protection of CVE-2012-1823 and diagram far away code by strategy of particular persona sequences. Extra, the arbitrary code is done on the far away PHP server through an argument injection assault.

To point out extra, there are two eventualities of exploitation: working PHP beneath CGI mode and Exposing the PHP binary alongside with the default XAMPP configuration.

The first scenario of working PHP beneath CGI mode contains the configuring of the Action directive to plan corresponding HTTP requests to a PHP-CGI executable binary within the Apache HTTP server.

This exploitation scenario is divulge and impacts traditional configurations, which contains

AddHandler cgi-script .php
Action cgi-script “/cgi-bin/php-cgi.exe”
or

SetHandler utility/x-httpd-php-cgi

Action utility/x-httpd-php-cgi “/php-cgi/php-cgi.exe”

For the second scenario of exposing the PHP binary, even supposing the PHP is now now not configured with CGI mode, an exposed PHP binary executable within the CGI directory is at chance of exploitation. For this exploitation to occur, there are two stipulations which originate the exploitation attainable.

1. Copying the php.exe or php-cgi.exe file to the /cgi-bin/ directory.
2. Exposing the PHP directory by strategy of ScriptAlias directive, resembling:

ScriptAlias /php-cgi/ “C:/xampp/php/”

How To Fix It?

To repair this vulnerability, it’s suggested that users upgrade their PHP variations to basically the most modern variations cherish 8.3.8, 8.2.20, and 8.1.29, which will most likely be susceptible. If upgrading is now now not attainable, two workarounds would per chance be followed.

1. Can now now not Reinforce PHP

The following rewrite guidelines would per chance be oldschool to block assaults.

RewriteEngine On
RewriteCond %{QUERY_STRING} ^%advert [NC]
RewriteRule .? – [F,L]

2. The utilize of XAMPP For Windows:

Since there would possibly be now not any loyal update file resembling this vulnerability, if there would possibly be now not any need for the PHP CGI characteristic, the Apache HTTP server configuration would per chance be modified with the next configuration to steer determined of the exposure.

C:/xampp/apache/conf/extra/httpd-xampp.conf

Locating The Corresponding Lines:

ScriptAlias /php-cgi/ “C:/xampp/php/”

And comment it out:

# ScriptAlias /php-cgi/ “C:/xampp/php/”

PHP variations affected by this vulnerability encompass

• PHP 8.3 < 8.3.8
• PHP 8.2 < 8.2.20
• PHP 8.1 < 8.1.29

and Discontinue of Existence products cherish PHP 8.0, PHP 7, and PHP 5.

Users of these PHP variations are suggested to upgrade to basically the most modern PHP variations to forestall chance actors from exploiting this vulnerability.