PHP code vulnerability targeted by hackers on Windows servers
This vulnerability, identified as CVE-2024-4577, is a CGI parameter injection vulnerability. Currently, the severity level of the vulnerability has not been determined, but it affects all versions of PHP running on the Windows operating system. The vulnerability was discovered while the research team was patching another vulnerability.
According to the research team from DEVCORE, this vulnerability appeared when the team patched CVE-2012-1823: "During the PHP implementation process, the team overlooked the Best-Fit feature of encoding conversion in the Windows operating system," they explained. "This allows unauthenticated hackers to bypass the protection layer of CVE-2012-1823 by using special character strings. As a result, arbitrary malicious code can be executed on remote PHP servers through argument injection attacks."
Patches for this vulnerability have been released, with updated versions including 8.3.8, 8.2.20, and 8.1.29. Users are advised to update immediately due to evidence that hackers are scanning the internet for vulnerable systems.
According to The Hacker News report, the Shadowserver Foundation has detected hacker probes targeting endpoints to find this vulnerability. "We have seen multiple IP addresses testing the PHP/PHP-CGI CVE-2024-4577 (Parameter Injection Vulnerability) on our honeypot sensors since June 7," the organization stated on the X platform. This vulnerability affects PHP running on Windows operating systems.
DEVCORE also announces that all XAMPP installations on Windows are vulnerable if using Traditional Chinese, Simplified Chinese, or Japanese languages by default. Therefore, administrators should replace old PHP CGI with methods such as Mod-PHP, FastCGI, or PHP-FPM.
"This vulnerability is extremely simple, but this is precisely what makes it noteworthy," the researchers say. "Who could have guessed that a patch reviewed and trusted for 12 years could be overlooked due to a small feature in the Windows operating system?"
Comments are closed