TLP : CLEAR
Date : 11/06/2024
REF NO : CERT / 2024/06/53
Severity Level: High
Components Affected
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Overview
Multiple vulnerabilities were identified in PHP. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution and security restriction bypass on the targeted system.
Note:
The CVE-2024-4577 vulnerability is being exploited in the wild. This vulnerability allows unauthenticated attackers to conduct argument Injection in PHP-CGI.
This vulnerability affects all versions of PHP installed on the Windows operating system. Please note that the PHP 8.0, PHP 7, and PHP 5 are End-of-Life, No patch is available for PHP 8.0, PHP 7, and PHP 5. All versions of XAMPP installations on Windows are vulnerable by default.
Description
In various PHP versions, including 8.1.* before 8.1.28, 8.2.* before 8.2.18, and 8.3.* before 8.3.5, there is a vulnerability when using the proc_open()
command with array syntax due to insufficient escaping. If a malicious user controls the arguments of the executed command, they can supply arguments that execute arbitrary commands in the Windows shell. Additionally, the fix for CVE-2024-1874 in PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8 is ineffective if the command name includes trailing spaces. Furthermore, when using Apache and PHP-CGI on Windows in these same PHP versions, certain code pages might cause Windows to use “Best-Fit” behavior, which can lead to the PHP CGI module misinterpreting characters as PHP options. This misinterpretation could allow a malicious user to pass options to the PHP binary, potentially exposing script source code or running arbitrary PHP code on the server. Lastly, due to a code logic error in these PHP versions, the ‘ filter_var ‘ function when validating URLs (FILTER_VALIDATE_URL) might incorrectly accept invalid user information as valid, leading to downstream code accepting and parsing these invalid URLs incorrectly.
Impact
Solution/ Workarounds
Before installation of the software, please visit the software manufacturer web-site for more details.
The vendor has issued a fix:
Reference
Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.
Sri Lanka Computer Emergency Readiness Team | Coordination Centre