PHP New Patch to Fix Remote Code Execution Vulnerability

TapTechNews June 8th news, the PHP project maintenance team yesterday released a new patch to fix the Remote Code Execution (RCE) vulnerability existing in PHP for Windows, and urged users to update to the 8.3.8, 8.2.20 and 8.1.29 versions released on June 6th as soon as possible.

PHP is a widely used open source scripting language designed for web development and is typically used on Windows and Linux servers.

OrangeTsai, the chief security researcher of Devcore, discovered this new RCE vulnerability on May 7th, 2024 and reported it to PHP developers.

TapTechNews note: The vulnerability tracking number is CVE-2024-4577, which affects all versions since version 5.x and may have an impact on a large number of servers globally.

In addition, the Shadowserver Foundation released an announcement, stating that it has detected that hackers are scanning servers with this vulnerability.

The ITCVE-2024-4577 vulnerability is caused by negligence in handling character encoding conversions. PHP used in CGI mode on Windows, especially in a server environment that uses the Best-Fit feature, is relatively vulnerable to hacker attacks.

The consultation of DevCore explains:

When implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system.

Unauthorized attackers take advantage of this vulnerability to bypass the previous protection of CVE-2012-1823 through specific character sequences. Through parameter injection attacks, arbitrary code can be executed on a remote PHP server.

Analysts explain that even if PHP is not configured in the CGI mode, as long as the PHP executable file (such as php.exe or php-cgi.exe) is located in a directory accessible by the web server, CVE-2024-4577 may still be exploitable.