Public Notices

PHP CGI Windows Platform Remote Code Execution Vulnerability(CVE-2024-4577)

June 24, 2024 GMT+08:00

1.Overview

Recently, PHP official team released a patch, to solve a remote code execution vulnerability (CVE-2024-4577) in some versions of PHP. When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution.

PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. If you are a PHP user, check your system and implement timely security hardening.

Reference:

https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
https://www.kb.cert.org/vuls/id/520827

2.Severity

critical

(Severity: low, moderate, important, and critical)

3.Affected Products

Affected versions:

PHP 8.3 < 8.3.8

PHP 8.2 < 8.2.20

PHP 8.1 < 8.1.29

Notice: This vulnerability affects all versions of PHP installed on the Windows operating system. Since the branch of PHP 8.0, PHP 7, and PHP 5 are End-of-Life, and are no longer maintained anymore.

Secure versions:

PHP 8.3 >= 8.3.8

PHP 8.2 >= 8.2.20

PHP 8.1 >= 8.1.29

4.Vulnerability Handling

This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://www.php.net/downloads.php

For systems that cannot be upgraded, the following instructions can be used to temporarily mitigate the vulnerability.

1. For users who cannot upgrade PHP:

The following Rewrite Rules can be used to block attacks. Please note that these rules are only a temporary mitigation for Traditional Chinese, Simplified Chinese, and Japanese locales. It is still recommended to update to a patched version or migrate the architecture in practice.

RewriteEngine On

RewriteCond %{QUERY_STRING} ^%ad [NC]

RewriteRule .? - [F,L]

2. For users who use XAMPP for Windows:

XAMPP has not yet released corresponding update files for this vulnerability at the time of writing this article. If you confirm that you do not need the PHP CGI feature, you can avoid exposure to the vulnerability by modifying the following Apache HTTP Server configuration:

C:/xampp/apache/conf/extra/httpd-xampp.conf

Locating the corresponding lines:

ScriptAlias /php-cgi/ "C:/xampp/php/"

And comment it out:

# ScriptAlias /php-cgi/ "C:/xampp/php/"

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.

5.Technical Support

Get more professional support at any time

Email: GlobalTechnicalService@iwhalecloud.com