A critical remote code execution vulnerability in the PHP programming language by the researchers from the firm DEVCORE, the vulnerability could potentially allow unauthenticated attackers to take full control of affected PHP servers.
The vulnerability tracked as CVE-2024-4577 and the issue lies in the oversight of the Best-Fit feature of encoding conversion within the Windows operating system during PHP implementation. This oversight allows attackers to bypass protections implemented for a previous vulnerability, CVE-2012-1823, through specific character sequences. As a result, arbitrary code can be executed on remote PHP servers via an argument injection attack, enabling unauthorized access and control.
The vulnerability impacts all versions of PHP on Windows, the most affected versions are those still under active maintenance:
- PHP 8.3 (versions before 8.3.8)
- PHP 8.2 (versions before 8.2.20)
- PHP 8.1 (versions before 8.1.29)
DEVCORE, promptly reported the issue to the PHP development team, who released patches on June 6th, 2024. It is important to note that branches PHP 8.0, PHP 7, and PHP 5 are now End-of-Life and no longer maintained.
Users of XAMPP, are also vulnerable due to a default configuration that exposes the PHP binary. XAMPP has not yet released an update for this vulnerability, but DEVCORE has provided instructions on how to temporarily mitigate the risk.
It is strongly recommended to upgrade PHP to versions 8.3.8, 8.2.20, and 8.1.29 and Cybersecurity researchers at watchTowr published the technical details and a proof-of-concept exploit.
Ever felt the crushing weight of financial stress? I’ve been there, and I know the struggle is real. But there’s hope! Discover life-changing ways to earn money online from the comfort of your home. After years of trial and error, I found the methods that truly work. Let me guide you to financial freedom with passion and proven strategies. Click here to transform your future today https://slickwaves.com/
Thanks and look forward to seeing you inside the community