Mastodawn

Jun 7, 2024

Researchers have discovered a critical RCE in PHP for Windows. CVE-2024-4577 allows unauthenticated people to bypass the protection for a previously fixed vulnerability (CVE-2012-1823) using specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.

https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/

Security Alert: CVE-2024-4577 - PHP CGI Argument Injection Vulnerability | DEVCORE 戴夫寇爾

While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.

DEVCORE 戴夫寇爾

Show thread

gigantos Jun 7, 2024

@dangoodin are people running php servers in Windows?

Show thread

Andreas Jun 7, 2024

@dangoodin

https://infosec.exchange/@wdormann/112575887404493862

Will Dormann (@[email protected])

Attached: 1 image There's a bit of chatter about PHP for Windows being used in CGI mode on certain locales: CVE-2024-4577 The example app that's vulnerable by default is XAMPP, which clearly states that it's NOT to be used in production (e.g. exposed to the internet) Does anybody have an example of a production-ready product that uses PHP in CGI mode on Windows?

Infosec Exchange