CVE-2024-8926

php: PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)

Publication Date2024-10-07
SeverityHigh
TypeRemote Code Execution
Affected PHP Versions
  • 5.6.0-7.1.33
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.30
  • 8.2.0-8.2.24
  • 8.3.0-8.3.12
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3

CVE Details

When using a certain non-standard configurations of Windows codepages, the fixes for  CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3  may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. A flaw was found in PHP that bypasses the fix implemented in CVE-2024-4577 when using a non-standard configuration of Windows codepages, only obtainable through the registry by pointing the ACP codepage to an OEM codepage. The required configuration is unlikely to occur in a real environment.

Recommendations

We recommend upgrading to a known patched version of PHP.

If you cannot, you can mitigate this attack in a couple of ways:

  • apply a mod_rewrite rule to block attacks, like the following:

    RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? – [F,L]

  • If you use XAMPP and do not need the PHP CGI feature, find the 'ScriptAlias' directive in the Apache configuration file (typically at 'C:/xampp/apache/conf/extra/httpd-xampp.conf') and comment it out.

Admins can determine if they use PHP-CGI using the phpinfo() function and checking the 'Server API' value in the output.

It is suggested that system administrators consider migrating from CGI to more secure alternatives, like FastCGI, PHP-FPM, and Mod-PHP.