Exploits Out: PHP RCE Flaw CVE-2024-4577

Estimated read time 2 min read

A new critical remote code execution (RCE) vulnerability has been discovered in PHP, affecting all versions affects all PHP versions PHP since 5.x that are installed on MS Windows operating systems. The new vulnerability is impacting a massive number of servers worldwide vulnerable to remote code execution (RCE) attacks.

The new security, now tracked as CVE-2024-4577, was discovered by Devcore Principal Security Researcher Orange Tsai and he reported the issue to the PHP developers. The new vulnerability is abusing PHP’s handling of character encoding conversions, specifically the ‘Best-Fit’ feature on Windows when PHP is used in CGI mode.

CVE-2024-4577 Exploits

Multiple proof-of-concept (POC) exploits that can be used to exploit CVE-2024-4577 are now publicly available on GitHub

A screenshot of an exploit for CVE-2024-4577

CVE-2024-4577 Flaw

The CVE-2024-4577 flaw is caused by how PHP is handling character encoding conversions, this issue is affecting ‘Best-Fit’ feature on Windows when PHP is used in CGI mode. This will allows remote unauthenticated attackers to bypass execute arbitrary code on remote PHP servers through the argument injection attack.

The flaw is particularly severe, as it can be exploited even if PHP is not configured in CGI mode, as long as the PHP executables are in directories accessible by the web server. This means that all XAMPP installations on Windows are likely vulnerable by default.

How to fix CVE-2024-4577?

To fix this critical vulnerability, it is recommended to:

Upgrade to the latest supported PHP versions that have proper patches: PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29.
Apply a mod_rewrite rule to block attacks, like the following:

RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .?  [F,L]

If you are using XAMPP, comment out the ‘ScriptAlias‘ directive in the Apache configuration file (usually located at ‘C:/xampp/apache/conf/extra/httpd-xampp.conf‘) and disable the PHP CGI feature.
Consider migrating from CGI to more secure alternatives, like FastCGI, PHP-FPM, and Mod-PHP.

Mohamed Nabil Ali

A Trailblazing IT Expert, Technology Geek, and Bughunter.
Follow me on Twitter

You May Also Like

More From Author