New PHP Vulnerability Exposes Windows Servers to Remote Code Execution

A critical security flaw in PHP, identified as CVE-2024-4577, has been uncovered, posing a significant risk of remote code execution on Windows servers.

This vulnerability, categorized as a CGI argument injection flaw, affects all versions of PHP installed on the Windows operating system.

The vulnerability enables attackers to bypass existing protections implemented for CVE-2012-1823, allowing for arbitrary code execution on remote PHP servers through an argument injection attack.

DEVCORE security researcher Orange Tsai highlighted that this vulnerability stems from an oversight during PHP implementation, specifically related to encoding conversion within the Windows operating system.

The fix for CVE-2024-4577 has been included in PHP versions 8.3.8, 8.2.20, and 8.1.29, released after responsible disclosure on May 7, 2024.

DEVCORE has cautioned that all XAMPP installations on Windows are inherently vulnerable, particularly when configured with specific locales such as Traditional Chinese, Simplified Chinese, or Japanese.

It is recommended by DEVCORE that administrators transition away from using PHP CGI and opt for more secure alternatives like Mod-PHP, FastCGI, or PHP-FPM to mitigate the risk.