In a recent report by DevCo.re, a vulnerability known as CVE-2024-4577 in PHP has been revealed, allowing attackers to execute their code on a server or view the source code of PHP scripts. This vulnerability specifically affects PHP running in CGI mode on the Windows platform. Configurations with MOD_PHP, PHP-FPM, and FASTCGI are not susceptible to this issue. The problem has been addressed in the latest releases of PHP 8.3.8, 8.2.20, and 8.1.29.
This vulnerability is a variation of the CVE-2012-1823 issue that was fixed in 2012 but did not cover attacks on the Windows platform. Attackers can exploit the vulnerability by manipulating requests to PHP scripts, allowing them to alter command line arguments when initiating the PHP interpreter.
Previously, with the CVE-2012-1823 vulnerability, attackers could specify command line options instead of request parameters to reveal script source code. The new vulnerability takes advantage of Windows’ automatic conversion of symbols, allowing them to bypass certain protections by indicating characters present in specific encodings.
The vulnerability has been confirmed in configurations using traditional Chinese (CP950), simplified Chinese (CP936), and Japanese (CP932) languages, with the potential to manifest in other locales as well. It affects default configurations in setups like XAMPP (Apache + MariaDB + PHP + Perl) and any Apache configurations where PHP-CGI is employed as a CGI script processor using specific directives.
Furthermore, the PHP updates to versions 8.3.8, 8.2.20, and 8.1.29 also address two additional