PHP CGI Windows Platform Remote Code Execution Vulnerability (CVE-2024-4577) Advisory

PHP CGI Windows Platform Remote Code Execution Vulnerability (CVE-2024-4577) Advisory

junho 12, 2024 | NSFOCUS

Overview

NSFOCUS CERT has monitored the disclosure of a PHP CGI Windows platform remote code execution vulnerability (CVE-2024-4577) on the internet recently. Due to PHP’s oversight of the Best-Fit character mapping feature of the Windows system during its design, running PHP in CGI mode on the Windows platform and using the following language settings (Simplified Chinese 936/Traditional Chinese 950/Japanese 932, etc.) are affected by this vulnerability. Unauthenticated attackers can construct malicious requests to bypass the protection of the CVE-2012-1823 patch and execute arbitrary code remotely through parameter injection. The PoC of the vulnerability has been made public, and users are advised to take protective measures as soon as possible.

PHP is a widely used open-source scripting language commonly used for web development; PHP CGI is a method of running PHP scripts through the Common Gateway Interface (CGI) to handle HTTP requests and generate dynamic web content.

Reference link:

https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability

Affected Scope

Affected Versions

PHP 8.3 < 8.3.8

PHP 8.2 < 8.2.20

PHP 8.1 < 8.1.29

Note: Official support and maintenance for PHP 8, PHP 7, and PHP 5 have been discontinued.

Unaffected Versions

PHP 8.3 >= 8.3.8

PHP 8.2 >= 8.2.20

PHP 8.1 >= 8.1.29

Vulnerability Detection

Version Detection

Users of PHP CGI on the Windows system can determine whether the application is within the affected scope by checking the PHP version:

php -v

Protection Methods

Upgrade

This vulnerability has already been fixed in the latest version officially, and users affected are advised to upgrade their version as soon as possible for protection. Official download link: https://www.php.net/downloads.php

Other Mitigation Measures

If users are temporarily unable to upgrade, the following measures can be taken for temporary protection:

  • If the business does not use PHP-CGI, it is recommended to disable the CGI function temporarily.
  • Users in Traditional Chinese, Simplified Chinese, and Japanese language environments can use the following rewrite rules for attack protection:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? - [F,L]

(Note: In practice, updating to a secure version or migrating the architecture is still recommended.)

  • For users of XAMPP for Windows, if it is confirmed that PHP CGI functionality is not needed, the vulnerability’s impact can be avoided by modifying the following Apache HTTP Server configuration: C:/xampp/apache/conf/extra/httpd-xampp.conf

Find the corresponding line:

ScriptAlias /php-cgi/ "C:/xampp/php/"

And comment it out:

# ScriptAlias /php-cgi/ "C:/xampp/php/"

Declaration

This security advisory is solely for the purpose of describing potential security issues, and NSFOCUS does not provide any warranties or commitments for this security advisory. NSFOCUS and the author of this security advisory are not responsible for any direct or indirect consequences and losses caused by the dissemination or use of the information provided in this security advisory. NSFOCUS reserves the right to modify and interpret this security advisory. If you wish to reprint or disseminate this security advisory, you must ensure the integrity of this security advisory, including the copyright statement and all content. Without the permission of NSFOCUS, do not arbitrarily modify or reduce the content of this security advisory, and do not use it for commercial purposes in any way.