CVE-2024-8927

php: cgi.force_redirect configuration is bypassable due to the environment variable collision

Publication Date 2024-10-07
Severity Critical
Type Cross-Site Request Forgery
Affected PHP Versions
  • 7.2.0-7.2.34
  • 7.3.0-7.3.33
  • 7.4.0-7.4.33
  • 8.0.0-8.0.30
  • 8.1.0-8.1.30
  • 8.2.0-8.2.24
  • 8.3.0-8.3.12
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendPHP 8.3

CVE Details

The HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. The configuration directive cgi.force_redirect prevents anyone from calling PHP directly with a URL such as http://host.example/cgi-bin/php/secretdir/script.php. However, in certain uncommon configurations, an attacker may be able to bypass this restriction and access php-cgi directly. This may lead to arbitrary file inclusion in PHP.

Recommendations

We recommend upgrading to a patched version of PHP.