PHP CGI Argument Injection vulnerability
This live blog contains information regarding a PHP CGI Argument Injection Vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on June 11, 2024.
T-Update
This live blog contains information regarding a PHP CGI Argument Injection Vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on June 11, 2024.
Update 12 June
A proof of concept was published this week and is now being actively abused. Research by T-CERT shows that more than 70 servers in the Netherlands are vulnerable to this exploit. Malware campaigns have also been seen that actively abuse this vulnerability, which once again underlines the importance of patching.
Background
A severe vulnerability has been discovered in the PHP CGI (Common Gateway Interface) implementation, allowing unauthenticated attackers to inject special arguments via the URL. This can lead to the execution of arbitrary code on Windows servers. The issue arises from PHP CGI’s insecure handling of arguments, enabling command injection that the server executes. CVE-2024-4577 has a CVSS-score of 9.8. This indicates a high risk of abuse and significant impact.
Risk
This vulnerability affects all PHP versions on Windows systems, particularly:
- PHP 8.3 < 8.3.8
- PHP 8.2 < 8.2.20
- PHP 8.1 < 8.1.29
Attackers can compromise servers, potentially gaining full control over the system. Standard XAMPP configurations and specific Windows locales are especially vulnerable.
Advice
The best way to mitigate this vulnerability is by updating to the latest PHP versions (PHP 8.3.8, 8.2.20, and 8.1.29).
For systems that cannot be updated immediately, it is recommended to implement temporary rewrite rules that block dangerous URL patterns.
Using safer architectures like Mod-PHP or PHP-FPM offers a structural solution, as they do not share the same vulnerabilities as the CGI implementation. These steps help prevent attackers from exploiting the vulnerability and ensure a more secure server environment.
Sources
Sign up to receive T-Updates
Receive the latest vulnerabilities in your email every Wednesday
More than 1,000 organisations have already joined us.
