A new PHP for Windows remote code execution (RCE) vulnerability has been disclosed, impacting all releases since version 5.x, potentially impacting a massive number of servers worldwide.

PHP is a widely used open-source scripting language designed for web development and commonly used on both Windows and Linux servers.

The new RCE flaw tracked as CVE-2024-4577, was discovered by Devcore Principal Security Researcher Orange Tsai on May 7, 2024, who reported it to the PHP developers. 

The PHP project maintainers released a patch yesterday, addressing the vulnerability.

However, the application of security updates on a project with such a large-scale deployment is complicated and could potentially leave a significant number of systems vulnerable to attacks for extended periods.

Unfortunately, when a critical vulnerability impacting many devices is disclosed, threat actors and researchers immediately begin attempting to find vulnerable systems.

Such is the case with CVE-2024-4577, as The Shadowserver Foundation has already detected multiple IP addresses scanning for vulnerable servers.

Attention! We see multiple IPs testing PHP/PHP-CGI CVE-2024-4577 (Argument Injection Vulnerability) against our honeypot sensors starting today, June 7th. Vulnerability affects PHP running on Windows.

Patches released June 6th: https://t.co/jM5HgGUZJF

Exploit PoC is public.

— The Shadowserver Foundation (@Shadowserver) June 7, 2024

The CVE-2024-4577 flaw

The CVE-2024-4577 flaw is caused by an oversight in handling character encoding conversions, specifically the 'Best-Fit' feature on Windows when PHP is used in CGI mode.

"While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system," explains a DevCore advisory.

"This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack."

This flaw circumvents the protections the PHP team had implemented in the past for CVE-2012-1823, which was exploited in malware attacks several years after its remediation.

The analysts explain that even if PHP is not configured in CGI mode, CVE-2024-4577 might still be exploitable as long as the PHP executables (e.g., php.exe or php-cgi.exe) are in directories that are accessible by the web server.

Due to this being the default configuration on XAMPP for Windows, DEVCORE warns that all XAMPP installations on Windows are likely vulnerable.

The issue is worse when certain locates that are more susceptible to this encoding conversion flaw are used, including Traditional Chinese, Simplified Chinese, and Japanese. 

As Devcore says the CVE-2024-4577 vulnerability impacts all versions of PHP for Windows, if you are using PHP 8.0 (End of Life), PHP 7.x (EoL), or PHP 5.x (EoL), you either need to upgrade to a newer version or use the mitigations described below.

Remediation strategy

 Those using supported PHP versions should upgrade to the versions that incorporate the patches: PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29.

For systems that cannot be immediately upgraded and users of EoL versions, it is recommended to apply a mod_rewrite rule to block attacks, like the following:

If you use XAMPP and do not need the PHP CGI feature, find the 'ScriptAlias' directive in the Apache configuration file (typically at 'C:/xampp/apache/conf/extra/httpd-xampp.conf') and comment it out.

Admins can determine if they use PHP-CGI using the phpinfo() function and checking the 'Server API' value in the output.

DEVCORE also suggests that system administrators consider migrating from CGI to more secure alternatives, like FastCGI, PHP-FPM, and Mod-PHP.