External risk intelligence

PHP CGI Vulnerability Allows Code Execution on Windows

CVE advisoryKnown Exploit

CVE-2024-4577

A PHP vulnerability on Windows systems using Apache and PHP-CGI can allow attackers to execute arbitrary code and expose source code. This impacts organizations running affected PHP versions on Windows, posing a risk of server compromise and data exposure. Mitigation is recommended.

4Halo Surface Signal

OS Command Injection

Php

8.1.0 to before 8.1.298.2.0 to before 8.2.208.3.0 to before 8.3.83940

External exposure likelihood

Halo Surface Signal score for CVE-2024-4577

This vulnerability affects the PHP-CGI module on Windows, which is commonly utilized in web server deployments to process requests. As a component that handles inbound web traffic and executes scripts in a web-facing capacity, it is frequently exposed to the public internet in standard web application environments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

When specific code pages are used on Windows systems with Apache and PHP-CGI, a vulnerability exists that can allow malicious actors to pass unintended commands to the PHP binary. This misinterpretation of characters can lead to the exposure of source code or the execution of arbitrary code on the server. The impact could affect organizations running vulnerable PHP versions on Windows with this specific configuration.

  • PHP CGI on Windows
  • Character misinterpretation allows commands
  • Source code exposure, arbitrary code execution

Attack Path

How an attacker could exploit the issue

The vulnerability affects PHP versions when used with Apache and PHP-CGI on Windows. Under specific code page configurations, Windows may misinterpret characters in commands sent to PHP CGI. This misinterpretation allows an attacker to inject malicious options into the PHP binary.

  • Exposure on Windows servers.
  • Attacker sends crafted request.
  • PHP misinterprets characters, executes commands.

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability presents a critical risk due to its potential for exploitation without requiring special privileges or user interaction. This could allow attackers to execute arbitrary code, leading to the exposure of sensitive source code and full server compromise. The vulnerability is particularly concerning for organizations using PHP in CGI mode on Windows systems.

  • Attackers with low skill.
  • No access or conditions needed.
  • High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A critical vulnerability in PHP on Windows, when utilized with Apache and PHP-CGI, presents a significant risk. This flaw allows unauthorized users to execute arbitrary code, potentially leading to the exposure of script source code and other severe compromises. Affected organizations should take immediate action to identify and mitigate this threat to protect their systems and data.

  • Locate exposed PHP assets.
  • Reduce exposure or isolate risk.
  • Apply fixes, verify, and monitor.

Frequently asked questions

What is the PHP CGI vulnerability CVE-2024-4577?

CVE-2024-4577 is a critical vulnerability affecting certain versions of PHP when running on Windows with Apache and PHP-CGI. It exploits how Windows handles character encoding in command lines, allowing attackers to inject unintended options into the PHP binary. This can lead to serious consequences like revealing script source code or executing arbitrary code on the server.

What type of weakness is CVE-2024-4577?

This vulnerability is classified as CWE-78, which denotes an OS command injection weakness. In simpler terms, an attacker can trick the software into running operating system commands they choose, rather than the ones the software was intended to run.

How can an attacker exploit CVE-2024-4577?

Exploitation requires an attacker to send a specially crafted request to a vulnerable PHP CGI application running on a Windows server. The vulnerability is triggered when the system's code page settings cause Windows to misinterpret characters in the command line passed to PHP CGI, making it execute unintended commands. The bug is not triggered if PHP is used in a different mode, such as with PHP-FPM.

Who should be concerned about this PHP vulnerability?

Organizations using PHP in CGI mode on Windows servers, especially those with internet-facing web applications, should be highly concerned. According to Halo Surface Signal, this vulnerability is classified as external, meaning it is likely exposed to the public internet and poses a significant risk to web applications.

What is the first step to address CVE-2024-4577?

The immediate first step is to identify any instances of PHP running in CGI mode on Windows systems within your environment. Once identified, you should work to reduce their exposure or isolate them from the internet while applying vendor-provided fixes or alternative security measures.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified