PHP 8.1-8.3: Windows CGI Cmd Line Option Injection via Best-Fit CP
CVE-2024-4577 Published on June 9, 2024
Argument Injection in PHP-CGI
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Known Exploited Vulnerability
This PHP-CGI OS Command Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823.
The following remediation steps are recommended / required by July 3, 2024: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2024-4577 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2024-4577 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2024-4577
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-4577 are published in these products:
Affected Versions
PHP Group PHP:- Version 8.1.* and below 8.1.29 is affected.
- Version 8.2.* and below 8.2.20 is affected.
- Version 8.3.* and below 8.3.8 is affected.
- Version 8.1.0 and below 8.1.29 is affected.
- Version 8.2.0 and below 8.2.20 is affected.
- Version 8.3.0 and below 8.3.8 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.