A vulnerability has been identified in PHP (CVE-2024-4577), which allows you to run your code on the server or view the source code of a PHP script if you use PHP in CGI mode on the Windows platform (configurations with mod_php, php-fpm and FastCGI are not affected). The issue is fixed in PHP releases 8.3.8, 8.2.20, and 8.1.29.
The vulnerability is a special case of the CVE-2012-1823 issue fixed in 2012, where the added protection was not enough to block an attack on the Windows platform. The attack method boils down to the ability to substitute a command-line argument when running the PHP interpreter by manipulating the request parameters to the PHP script.
In the old vulnerability CVE-2012-1823, it was enough to specify command-line options instead of request parameters, for example, "http://localhost/index.php?-s" to display the source code of the script. The new vulnerability is based on the fact that the Windows platform provides automatic character conversion, which allows you to bypass the previously added protection by specifying characters that are present in some encodings and are replaced with the "-" character (for example, http://localhost/index.php?%ads).
The vulnerability was confirmed in configurations with locales for traditional Chinese (cp950), Simplified Chinese (cp936), and Japanese (cp932), but it is possible that it may also occur with other locales. The problem manifests itself in the default configuration in the XAMPP suite (Apache + MariaDB + PHP + Perl), as well as in any Apache configurations in which php-cgi is set as a CGI script handler using the 'Action cgi-script 'setting/cgi-bin/php-cgi.exe"' or 'Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"', or when the php interpreter is placed directly in "/cgi-bin" and any other directories where CGI scripts can be executed via the ScriptAlias directive.
In addition, PHP updates 8.3.8, 8.2.20, and 8.1.29 address three other vulnerabilities:
• CVE-2024-5458 - ability to bypass the FILTER_VALIDATE_URL filter used when calling the filter_var function.
• CVE-2024-5585 - alternative attack vector for the CVE-2024-1874 vulnerability, which allows you to bypass previously added protection and perform command substitution when calling bat and cmd files via the proc_open function on the Windows platform (BatBadBut vulnerability).
* Vulnerability of the openssl_private_decrypt function to the Marvin attack.
The vulnerability is a special case of the CVE-2012-1823 issue fixed in 2012, where the added protection was not enough to block an attack on the Windows platform. The attack method boils down to the ability to substitute a command-line argument when running the PHP interpreter by manipulating the request parameters to the PHP script.
In the old vulnerability CVE-2012-1823, it was enough to specify command-line options instead of request parameters, for example, "http://localhost/index.php?-s" to display the source code of the script. The new vulnerability is based on the fact that the Windows platform provides automatic character conversion, which allows you to bypass the previously added protection by specifying characters that are present in some encodings and are replaced with the "-" character (for example, http://localhost/index.php?%ads).
The vulnerability was confirmed in configurations with locales for traditional Chinese (cp950), Simplified Chinese (cp936), and Japanese (cp932), but it is possible that it may also occur with other locales. The problem manifests itself in the default configuration in the XAMPP suite (Apache + MariaDB + PHP + Perl), as well as in any Apache configurations in which php-cgi is set as a CGI script handler using the 'Action cgi-script 'setting/cgi-bin/php-cgi.exe"' or 'Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"', or when the php interpreter is placed directly in "/cgi-bin" and any other directories where CGI scripts can be executed via the ScriptAlias directive.
In addition, PHP updates 8.3.8, 8.2.20, and 8.1.29 address three other vulnerabilities:
• CVE-2024-5458 - ability to bypass the FILTER_VALIDATE_URL filter used when calling the filter_var function.
• CVE-2024-5585 - alternative attack vector for the CVE-2024-1874 vulnerability, which allows you to bypass previously added protection and perform command substitution when calling bat and cmd files via the proc_open function on the Windows platform (BatBadBut vulnerability).
* Vulnerability of the openssl_private_decrypt function to the Marvin attack.
