The PHP Group has fixed a vulnerability in all versions of PHP on Windows that can allow an attacker to execute arbitrary code. The flaw also affects all version of the XAMPP development environment installed on Windows, and researchers have already seen attackers scanning for the flaw (CVE-2024-4577).
Updated versions of PHP 8.3, 8.2, and 8.1 were released on June 6, but there is a proof-of-concept exploit available and the researchers who discovered the vulnerability can be exploited easily in a couple of scenarios. The fla itself is an argument injection bug and is the result of an incomplete fix for a separate vulnerability from 2012.
“While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack,” the researchers from Devcore, who discovered the bug, said in an analysis.
Researchers from the Shadowserver Foundation, which tracks exploit and attack activity across the Internet, said they have seen scanning activity already targeting this bug.
“We see multiple IPs testing PHP/PHP-CGI CVE-2024-4577 (Argument Injection Vulnerability) against our honeypot sensors starting today, June 7th. Vulnerability affects PHP running on Windows,” the group said Friday.
There are two specific scenarios in which attackers can exploit a vulnerable version of PHP. The first scenario is whenPHP is running in CGI mode, which is quite common.
“When configuring the Action directive to map corresponding HTTP requests to a PHP-CGI executable binary in Apache HTTP Server, this vulnerability can be exploited directly,” the Devcore researchers said.
The second scenario is when the PHP binary is exposed in CGI directory, which is the default mode for XAMPP, the widely used PHP development environment. XAMPP has not released an update for this flaw yet.
Organizations that are running vulnerable versions of PHP should update as soon as possible.