NewsSecurity Vulnerabilities

PHP address a critical vulnerability that could lead to arbitrary PHP code execution [CVE-2024-4577]

CVE number = CVE-2024-4577

During DEVCORE’s continuous offensive research, their team discovered a remote code execution vulnerability in PHP. Due to the widespread use of the programming language in the web ecosystem and the ease of exploitability, DEVCORE classified its severity as critical, and promptly reported it to the PHP official team. The official team released a patch on 2024/06/06.

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use “Best-Fit” behaviour to replace characters in command line given to Win32 API functions.

PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, and run arbitrary PHP code on the server, etc.

Further information – https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/

Patch details – https://www.php.net/ChangeLog-8.php#8.1.29

Download the latest PHP version from https://www.php.net/downloads

Kerry Dean

Kerry is a Content Creator at www.systemtek.co.uk she has spent many years working in IT support, her main interests are computing, networking and AI.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.