Nasty bug with very simple exploit hits PHP just in time for the weekend

Enlarge

A critical vulnerability In THE PHP programming language can be trivially exploited has execute malicious coded on the Windows devices, security researchers warned as they exhorted those affected has take action Before THE weekend starts.

In 24 hours of THE vulnerability And accompanying patch be published, researchers Since THE non-profit security organization Ghost server reported the Internet analyzes designed has identify waiters that are sensitive has attacks. This—combined with (1) THE ease of exploitation, (2) THE availability of proof of concept attack coded, (3) THE gravity of from a distance execution coded on vulnerable machines, And (4) THE widely used XAMPP platform be vulnerable by default: a guest security practitioners has urge administrators check has see if their PHP waiters are affected Before departure THE weekend.

When "Best Adjust" is not it

"A wicked bug with A very simple exploit – perfect For A Friday afternoon," researchers with security farm Watch tower wrote.

CVE-2024-4577, as THE vulnerability East follow up, stems Since Errors In THE path PHP converts unicode characters In ASCII. A functionality built In the Windows known as Best Adjust allow attackers has to use A technical known as argument injection has pass user-provided to input In orders accomplished by A application, In This case, PHP. Exploits allow attackers has bypasses CVE-2012-1823, A critical coded execution vulnerability patched In PHP In 2012.

"While execution PHP, THE team did not notice THE Best fit functionality of coding conversion In THE the Windows Operating system," researchers with Devcore, THE security farm that discovered CVE-2024-4577, wrote. "This monitoring allow unauthenticated attackers has bypasses THE previous protection of CVE-2012-1823 by specific character sequences. Arbitrary coded can be accomplished on remote PHP waiters through THE argument injection attack."

CVE-2024-4577 affected PHP only When he short In A fashion known as CGI, In which A the Web server analysis HTTP requests And pass them has A PHP scenario For treatment. Even When PHP is not it together has Computer graphics fashion, However, THE vulnerability can always be exploitable When PHP executables such as php.exe And php-cgi.exe are In directories that are accessible by THE the Web server. This configuration East together by default In XAMPP For The Windows, manufacturing THE platform vulnerable unless he has has been modified.

A example, Watch tower note, occurs When queries are analysis And sent through A order double. THE result: A harmless request such as http://host/cgi.php?foo=bar could be converted In php.exe cgi.php foo=bar, A order that would be be accomplished by THE main PHP engine.

No escape

As a lot other languages, PHP converts certain types of user to input has prevent he Since be interpreter as A order For execution. This East A process known as escape. For example, In HTML, THE < And > characters are often escaped by conversion them In their unicode hexadecimal value equivalents < And > has prevent them Since be interpreter as HTML Keywords by A browser.

THE Watch tower researchers demonstrate how Best Adjust failed has escape characters such as A soft hyphen (with unicode value 0xAD) And instead converts he has A not escaped regular hyphen (0x2D), A character It is instrumental In a lot coded syntaxes.

THE researchers went on has explain:

He turns out that, as part of unicode treatment, PHP will apply what is this known as A 'best adjust' cartography, And usefully assume that, When THE user between A soft hyphen, they In fact destined has...