CVE-2024-9026

php: PHP-FPM Log Manipulation Vulnerability'))) AND 3902=(SELECT COUNT(*) FROM SYSMASTER:SYSPAGHDR) AND ((('ltRg'='ltRg

Publication Date	2024-10-08
Severity	Critical
Type	Cross-Site Request Forgery
Affected PHP Versions	7.4.0-7.4.33 8.0.0-8.0.30 8.1.0-8.1.30 8.2.0-8.2.24 8.3.0-8.3.12
Fixed Product Versions	ZendPHP 7.4 ZendPHP 8.0 ZendPHP 8.1 ZendPHP 8.2 ZendPHP 8.3

CVE Details

When using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possible to pollute the final log or remove up to 4 characters from the log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

Recommendations

We recommend upgrading to a known patched version of PHP.

< View all CVEs

Featured Product

ZendPHP

2025 PHP Landscape Report

CVE Details

Recommendations