In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
The problem stems from the 'Best-Fit' mechanism used by Windows when converting characters in selected code pages. When the operating system converts characters in arguments passed to Win32 API functions, the PHP-CGI module may incorrectly interpret these characters as PHP command-line options. An attacker can thus smuggle arbitrary options into the executed PHP binary without any authentication or user interaction.
An attacker can disclose PHP script source code or execute arbitrary PHP code on the server, which in practice means full takeover of the application and potentially the entire system.
PHP must be immediately updated to version 8.1.29, 8.2.20, or 8.3.8 (depending on the branch in use). If immediate update is not possible, consider disabling PHP-CGI mode or replacing it with PHP-FPM, and restrict access to the CGI endpoint at the firewall or Apache configuration level.
PHP versions 8.1.x before 8.1.29, 8.2.x before 8.2.20, and 8.3.x before 8.3.8 – only in Apache + PHP-CGI configuration on Windows with specific code pages.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFedora Project Fedora
OSFedoraproject3940Microsoft Windows
OSMicrosoftwszystkie wersjePHP
APPPhp8.1.0 – 8.1.29 (bez)8.2.0 – 8.2.20 (bez)8.3.0 – 8.3.8 (bez)
CISA KEV — detailsi
- Vendori
- PHP Group
- Producti
- PHP
- Added to KEVi
- June 12, 2024
- Remediation deadline (US Federal)i
- July 3, 2024(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823.
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Commvault Command Center – nieuwierzytelniony RCE przez path traversal w ZIP
Path Traversal w Kingsoft WPS Office — ładowanie dowolnej biblioteki Windows
Type Confusion w V8 (Google Chrome) — RCE przez spreparowaną stronę HTML