--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Vulnerabilities in PHP' number: '2024-058' version: '1.0' original_date: 'June 6, 2024' date: 'June 13, 2024' --- _History:_ * _13/06/2024 --- v1.0 -- Initial publication_ # Summary On June 6, 2024, a critical vulnerability was identified in certain versions of PHP that could allow the execution of arbitrary code or disclosure of sensitive information on Windows systems using Apache and PHP-CGI [1]. The vulnerability is currently being actively exploited, and several proof of concepts are available [2]. # Technical details The vulnerability, identified as **CVE-2024-4577**. with a CVSS score of 9.3 [3], affects certain PHP versions. When using Apache and PHP-CGI on Windows, if the system is configured to use specific code pages, Windows may utilise _Best-Fit_ behaviour to replace characters in the command line given to Win32 API functions. This behaviour can cause the PHP CGI module to misinterpret these characters as PHP options, potentially allowing a malicious user to pass options to the PHP binary being executed. This vulnerability could lead to the exposure of script source code or the execution of arbitrary PHP code on the server. # Affected Products The vulnerability affects PHP versions: - 8.1.* before 8.1.29, - 8.2.* before 8.2.20, - 8.3.* before 8.3.8 when using Apache and PHP-CGI on Windows [1] # Recommendations It is recommended to apply updates to the affected products as soon as possible. # References [1] [2] [3]