{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2024-058.pdf" }, "title": "Vulnerabilities in PHP", "serial_number": "2024-058", "publish_date": "13-06-2024 17:33:40", "description": "On June 6, 2024, a critical vulnerability was identified in certain versions of PHP that could allow the execution of arbitrary code or disclosure of sensitive information on Windows systems using Apache and PHP-CGI. The vulnerability is currently being actively exploited, and several proof of concepts are available.
\n", "url_title": "2024-058", "content_markdown": "---\ntitle: 'Vulnerabilities in PHP'\nnumber: '2024-058'\nversion: '1.0'\noriginal_date: 'June 6, 2024'\ndate: 'June 13, 2024'\n---\n\n_History:_\n\n* _13/06/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn June 6, 2024, a critical vulnerability was identified in certain versions of PHP that could allow the execution of arbitrary code or disclosure of sensitive information on Windows systems using Apache and PHP-CGI [1]. The vulnerability is currently being actively exploited, and several proof of concepts are available [2].\n\n# Technical details\n\nThe vulnerability, identified as **CVE-2024-4577**. with a CVSS score of 9.3 [3], affects certain PHP versions. When using Apache and PHP-CGI on Windows, if the system is configured to use specific code pages, Windows may utilise _Best-Fit_ behaviour to replace characters in the command line given to Win32 API functions. This behaviour can cause the PHP CGI module to misinterpret these characters as PHP options, potentially allowing a malicious user to pass options to the PHP binary being executed. This vulnerability could lead to the exposure of script source code or the execution of arbitrary PHP code on the server.\n\n# Affected Products\n\nThe vulnerability affects PHP versions:\n\n- 8.1.* before 8.1.29, \n- 8.2.* before 8.2.20, \n- 8.3.* before 8.3.8 when using Apache and PHP-CGI on Windows [1]\n\n# Recommendations\n\nIt is recommended to apply updates to the affected products as soon as possible.\n\n# References \n\n[1] \n\n[2] \n\n[3] \n\n\n", "content_html": "

History:

  • 13/06/2024 --- v1.0 -- Initial publication

Summary

On June 6, 2024, a critical vulnerability was identified in certain versions of PHP that could allow the execution of arbitrary code or disclosure of sensitive information on Windows systems using Apache and PHP-CGI [1]. The vulnerability is currently being actively exploited, and several proof of concepts are available [2].

Technical details

The vulnerability, identified as CVE-2024-4577. with a CVSS score of 9.3 [3], affects certain PHP versions. When using Apache and PHP-CGI on Windows, if the system is configured to use specific code pages, Windows may utilise Best-Fit behaviour to replace characters in the command line given to Win32 API functions. This behaviour can cause the PHP CGI module to misinterpret these characters as PHP options, potentially allowing a malicious user to pass options to the PHP binary being executed. This vulnerability could lead to the exposure of script source code or the execution of arbitrary PHP code on the server.

Affected Products

The vulnerability affects PHP versions:

  • 8.1.* before 8.1.29,
  • 8.2.* before 8.2.20,
  • 8.3.* before 8.3.8 when using Apache and PHP-CGI on Windows [1]

Recommendations

It is recommended to apply updates to the affected products as soon as possible.

References

[1] https://www.php.net/ChangeLog-8.php

[2] https://github.com/watchtowrlabs/CVE-2024-4577

[3] https://nvd.nist.gov/vuln/detail/CVE-2024-4577

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }