CVE-2024-8926
php: PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)
| Publication Date | 2024-10-07 |
|---|---|
| Severity | Critical |
| Type | Cross-Site Request Forgery |
| Affected PHP Versions |
|
| Fixed Product Versions |
|
CVE Details
When using a certain non-standard configurations of Windows codepages, the fixes for CVE-2024-4577 https://github.com/advisories/GHSA-vxpp-6299-mxw3 may still be bypassed and the same command injection related to Windows "Best Fit" codepage behavior can be achieved. This may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc. A flaw was found in PHP that bypasses the fix implemented in CVE-2024-4577 when using a non-standard configuration of Windows codepages, only obtainable through the registry by pointing the ACP codepage to an OEM codepage. The required configuration is unlikely to occur in a real environment.
Recommendations
We recommend upgrading to a known patched version of PHP.
If you cannot, you can mitigate this attack in a couple of ways:
-
apply a mod_rewrite rule to block attacks, like the following:
RewriteEngine On RewriteCond %{QUERY_STRING} ^%ad [NC] RewriteRule .? – [F,L] -
If you use XAMPP and do not need the PHP CGI feature, find the 'ScriptAlias' directive in the Apache configuration file (typically at 'C:/xampp/apache/conf/extra/httpd-xampp.conf') and comment it out.
Admins can determine if they use PHP-CGI using the phpinfo() function and checking the 'Server API' value in the output.
It is suggested that system administrators consider migrating from CGI to more secure alternatives, like FastCGI, PHP-FPM, and Mod-PHP.