Upgrade Your PHP Installations for A Critical RCE Flaw Patch - آپا
Upgrade Your PHP Installations for A Critical RCE Flaw Patch
- 16 Jun 2024
- News Code: 2207355
- 1027
Researchers have discovered a serious remote code execution vulnerability affecting PHP installations. As observed, this RCE flaw threatens Windows systems, thus requiring an immediate patch with the latest PHP versions. A Simple PHP RCE Flaw Poses Severe Threat to Windows Servers Sharing the details in a blog post, DEVCORE researchers warned users of the remote code execution (RCE) flaw in PHP that risks Windows servers. The vulnerability is basically a bypass for a previously patched flaw, CVE-2012-1823. First reported in 2012, this 12-year-old vulnerability affected the PHP-CGI query string parameter. An unauthenticated adversary could exploit the flaw for various malicious purposes, including triggering a denial of service, viewing source code, and executing arbitrary codes.
Upon discovery and bug report, the vulnerability received a fix with PHP versions 5.4.3 and 5.3.13. However, after over a decade, DEVCORE researchers found that bypassing the patch remains possible, allowing RCE attacks. This bypass became possible due to Windows’ Best-Fit feature of encoding conversion. An adversary could enter specific character sequences to execute arbitrary codes via argument injection attack.
The new vulnerability, CVE-2024-4577, affects almost all existing PHP versions, receiving a fix with PHP versions 8.3.8, 8.2.20, and 8.1.29, respectively. Typically, the researchers found Windows-based PHP installations running in the Chinese (traditional and simplified) and Japanese locales and all XAMPP installations vulnerable. Nonetheless, they believe that the flaw might also impact other locales. Hence, users running PHP versions 8.3.x, 8.2.x, and 8.1.x earlier than the patched releases must upgrade their systems immediately to receive the fix. Besides, where an immediate system upgrade isn’t feasible, researchers advise users to deploy mitigations
References:
https://latesthackingnews.com/2024/06/12/upgrade-your-php-installations-for-a-critical-rce-flaw-patch