New details They emerged about a new critical security flaw affecting PHP that could be exploited to achieve remote code execution under certain circumstances.
PHP: what is it in brief
Abbreviation for Hypertext Preprocessor is a server-side scripting language designed primarily for web development; is one of the most popular languages for creating dynamic, interactive websites due to its ease of use and its ability to integrate with databases like MySQL.
PHP can be inserted directly into HTML code, allowing you to run scripts on the server to generate personalized web content for each user request; it is open source and supported by a large community of developerswhich means there is a large amount of resources, extensions and frameworks available.
Basically it is a somewhat complicated language and not really suitable for beginners.
What is known about the vulnerability of the well-known language that affects Windows operating systems
The vulnerability, tracked as CVE-2024-4577, has been described as a CGI argument injection vulnerability affecting all versions of PHP installed on the Windows operating system.
According to security researcher DEVCORE, the flaw makes it possible to bypass protections put in place for another security flaw, CVE-2012-1823.
“While implementing PHP, the team didn’t notice the feature Best-Fit of encoding conversion within the Windows operating system“, has said security researcher Orange Tsai.
“This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 via specific character sequences. Arbitrary code can be executed on remote PHP servers via argument injection attack.”
Following responsible disclosure on May 7, 2024, a fix for the vulnerability was made available in PHP versions 8.3.8, 8.2.20 and 8.1.29.
DEVCORE warned that all installations of XAMPP on Windows are vulnerable by default when configured to use localizations for Traditional Chinese, Simplified Chinese, or Japanese.
The Taiwanese company also recommends that administrators completely abandon the outdated PHP CGI and opt for a more secure solution such as Mod-PHP, FastCGI or PHP-FPM.
“This vulnerability is incredibly simple, but that’s also what makes it interesting“Tsai said. “Who would have thought that a patch, which has been reviewed and proven safe for the last 12 years, could be bypassed because of a small Windows feature?“
The Shadowserver Foundation, in a post shared on X, said it had already detected attempts to exploit the flaw against its honeypot servers within 24 hours of the public disclosure.
watchTowr Labs said it was able to devise an exploit for CVE-2024-4577 and achieve remote code execution, making it imperative that users quickly apply the latest patches.
“A nasty bug with a very simple exploit“said security researcher Aliz Hammond. “Those operating in an affected configuration under one of the affected localizations – Chinese (simplified or traditional) or Japanese – they are advised to do this as quickly as possible, as the bug has a high probability of being exploited on a large scale due to the low complexity of the exploit.“
PHP vulnerabilities that have occurred in the past
PHP has a long history of security vulnerabilities that have required rapid interventions to protect systems. Some notable examples include:
- CVE-2019-11043: A buffer overflow vulnerability that allowed remote code execution on PHP-FPM servers.
- CVE-2018-14883: A command injection issue that could be exploited to execute arbitrary commands on the server.
- CVE-2016-5766: A flaw in PHP’s session manager that could lead to arbitrary code execution.
- CVE-2015-4601: A deserialization issue that could be exploited for remote code execution.
These examples highlight the importance of keeping PHP installations up to date and applying security patches promptly.
#PHP #flaw #Windows #remote #code #execution
