Security News > 2024 > June > PHP fixes critical RCE flaw impacting all versions for Windows

PHP fixes critical RCE flaw impacting all versions for Windows
2024-06-07 14:32

A new PHP for Windows remote code execution vulnerability has been disclosed, impacting all releases since version 5.x, potentially impacting a massive number of servers worldwide.

The new RCE flaw tracked as CVE-2024-4577, was discovered by Devcore Principal Security Researcher Orange Tsai on May 7, 2024, who reported it to the PHP developers.

The CVE-2024-4577 flaw is caused by an oversight in handling character encoding conversions, specifically the 'Best-Fit' feature on Windows when PHP is used in CGI mode.

The analysts explain that even if PHP is not configured in CGI mode, CVE-2024-4577 might still be exploitable as long as the PHP executables are in directories that are accessible by the web server.

As Devcore says the CVE-2024-4577 vulnerability impacts all versions of PHP for Windows, if you are using PHP 8.0, PHP 7.x, or PHP 5.x, you either need to upgrade to a newer version or use the mitigations described below.

Those using supported PHP versions should upgrade to the versions that incorporate the patches: PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29.


News URL

https://www.bleepingcomputer.com/news/security/php-fixes-critical-rce-flaw-impacting-all-versions-for-windows/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-06-09 CVE-2024-4577 OS Command Injection vulnerability in multiple products
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions.
network
low complexity
php fedoraproject CWE-78
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
PHP 9 1 43 115 124 283