PHP CGI Argument Injection Vulnerability

A severe vulnerability has been discovered in the PHP CGI (Common Gateway Interface) implementation, allowing unauthenticated attackers to inject special arguments via the URL. This can lead to the execution of arbitrary code on Windows servers. The issue arises from PHP CGI’s insecure handling of arguments, enabling command injection that the server executes.

CVE-2024-4577 has a CVSS-score of 9.8. This indicates a high risk of abuse and significant impact.

This vulnerability affects all PHP versions on Windows systems, particularly:

• PHP 8.3 < 8.3.8
• PHP 8.2 < 8.2.20
• PHP 8.1 < 8.1.29

Attackers can compromise servers, potentially gaining full control over the system. Standard XAMPP configurations and specific Windows locales are especially vulnerable.

The best way to mitigate this vulnerability is by updating to the latest PHP versions (PHP 8.3.8, 8.2.20, and 8.1.29).

For systems that cannot be updated immediately, it is recommended to implement temporary rewrite rules that block dangerous URL patterns.

Using safer architectures like Mod-PHP or PHP-FPM offers a structural solution, as they do not share the same vulnerabilities as the CGI implementation. These steps help prevent attackers from exploiting the vulnerability and ensure a more secure server environment.

More information:

• Security Alert: CVE-2024-4577 – PHP CGI Argument Injection Vulnerability | DEVCORE