CVE-2024-5585

php: Arguments execute arbitrary commands in Windows shell

Publication Date 2024-06-07
Severity Low
Type Cross-Site Request Forgery
Affected PHP Versions
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.28
  • 8.2.0-8.2.19
  • 8.3.0-8.3.7
Fixed Product Versions
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3
  • ZendServer 2021.3.5

CVE Details

The fix for CVE-2024-1874 does not work if the command name includes trailing spaces. Original issue: when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell. AND (SELECT 8454 FROM(SELECT COUNT(*),CONCAT(0x717a707671,(SELECT (ELT(8454=8454,1))),0x7176627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- fYDQ

Recommendations

For Windows users, we recommend updating to a patched version of PHP.);SELECT SLEEP(5)-- TFCR%' AND 8731=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) AND 'nWBQ%'='nWBQ