CVE-2024-4577: Critical PHP Vulnerability Exposes Millions of Servers to RCE

CVE-2024-4577

Cybersecurity firm DEVCORE has discovered a critical remote code execution vulnerability in the PHP programming language, a cornerstone of the web ecosystem. The vulnerability, tracked as CVE-2024-4577, could potentially allow unauthenticated attackers to take full control of affected PHP servers.

CVE-2024-4577

The root of this vulnerability lies in the oversight of the Best-Fit feature of encoding conversion within the Windows operating system during PHP implementation. This oversight allows attackers to bypass protections implemented for a previous vulnerability, CVE-2012-1823, through specific character sequences. As a result, arbitrary code can be executed on remote PHP servers via an argument injection attack, enabling unauthorized access and control.

While the CVE-2024-4577 vulnerability impacts all versions of PHP on Windows, the most affected versions are those still under active maintenance:

  • PHP 8.3 (versions before 8.3.8)
  • PHP 8.2 (versions before 8.2.20)
  • PHP 8.1 (versions before 8.1.29)

DEVCORE has classified the vulnerability as “critical” due to its widespread impact and the relative ease with which it can be exploited. The firm promptly reported the issue to the PHP development team, who released patches on June 6th, 2024. It is important to note that branches PHP 8.0, PHP 7, and PHP 5 are now End-of-Life and no longer maintained.

Users of XAMPP, a popular PHP development environment for Windows, are particularly vulnerable due to a default configuration that exposes the PHP binary. XAMPP has not yet released an update for this vulnerability, but DEVCORE has provided instructions on how to temporarily mitigate the risk.

Due to the severity of this vulnerability, it is strongly recommended to upgrade PHP to versions 8.3.8, 8.2.20, and 8.1.29. For systems that cannot be upgraded, temporary measures include:

  1. Blocking Attacks via Rewrite Rules: Specific rewrite rules can block attacks for Traditional Chinese, Simplified Chinese, and Japanese locales.
    RewriteEngine On
    RewriteCond %{QUERY_STRING} ^%ad [NC]
    RewriteRule .? - [F,L]
  2. Configuration Adjustments for XAMPP Users: Commenting out the ScriptAlias directive in httpd-xampp.conf:
    # ScriptAlias /php-cgi/ "C:/xampp/php/"

Security experts are emphasizing the urgency of patching this vulnerability, given PHP’s ubiquity on the web. According to W3Techs, nearly 76.2% of all websites use PHP on the server-side. This means millions of websites could be at risk if the vulnerability is not addressed promptly.

Update:

  1. The technical details and proof-of-concept exploit for this flaw have been published.
  2. This flaw has a CVSS score of 9.8.