Nasty bug with very simple exploit hits PHP just in time for the weekend
Nasty bug with very simple exploit hits PHP just in time for the weekend
Enlarge
A
critical
vulnerability
In
THE
PHP
programming
language
can
be
trivially
exploited
has
execute
malicious
coded
on
the Windows
devices,
security
researchers
warned
as
they
exhorted
those
affected
has
take
action
Before
THE
weekend
starts.
In
24
hours
of
THE
vulnerability
And
accompanying
patch
be
published,
researchers
Since
THE
non-profit
security
organization
Ghost server
reported
the Internet
analyzes
designed
has
identify
waiters
that
are
sensitive
has
attacks.
This—combined
with
(1)
THE
ease
of
exploitation,
(2)
THE
availability
of
proof of concept
attack
coded,
(3)
THE
gravity
of
from a distance
execution
coded
on
vulnerable
machines,
And
(4)
THE
widely
used
XAMPP
platform
be
vulnerable
by
default: a
guest
security
practitioners
has
urge
administrators
check
has
see
if
their
PHP
waiters
are
affected
Before
departure
THE
weekend.
When
"Best
Adjust"
is not it
"A
wicked
bug
with
A
very
simple
exploit – perfect
For
A
Friday
afternoon,"
researchers
with
security
farm
Watch tower
wrote.
CVE-2024-4577,
as
THE
vulnerability
East
follow up,
stems
Since
Errors
In
THE
path
PHP
converts
unicode
characters
In
ASCII.
A
functionality
built
In
the Windows
known
as
Best
Adjust
allow
attackers
has
to use
A
technical
known
as
argument
injection
has
pass
user-provided
to input
In
orders
accomplished
by
A
application,
In
This
case,
PHP.
Exploits
allow
attackers
has
bypasses
CVE-2012-1823,
A
critical
coded
execution
vulnerability
patched
In
PHP
In
2012.
"While
execution
PHP,
THE
team
did
not
notice
THE
Best fit
functionality
of
coding
conversion
In
THE
the Windows
Operating
system,"
researchers
with
Devcore,
THE
security
farm
that
discovered
CVE-2024-4577,
wrote.
"This
monitoring
allow
unauthenticated
attackers
has
bypasses
THE
previous
protection
of
CVE-2012-1823
by
specific
character
sequences.
Arbitrary
coded
can
be
accomplished
on
remote
PHP
waiters
through
THE
argument
injection
attack."
CVE-2024-4577
affected
PHP
only
When
he
short
In
A
fashion
known
as
CGI,
In
which
A
the Web
server
analysis
HTTP
requests
And
pass
them
has
A
PHP
scenario
For
treatment.
Even
When
PHP
is not it
together
has
Computer graphics
fashion,
However,
THE
vulnerability
can
always
be
exploitable
When
PHP
executables
such
as
php.exe
And
php-cgi.exe
are
In
directories
that
are
accessible
by
THE
the Web
server.
This
configuration
East
together
by
default
In
XAMPP
For
The Windows,
manufacturing
THE
platform
vulnerable
unless
he
has
has been
modified.
A
example,
Watch tower
note,
occurs
When
queries
are
analysis
And
sent
through
A
order
double.
THE
result:
A
harmless
request
such
as
http://host/cgi.php?foo=bar
could
be
converted
In
php.exe
cgi.php
foo=bar,
A
order
that
would be
be
accomplished
by
THE
main
PHP
engine.
No
escape
As
a lot
other
languages,
PHP
converts
certain
types
of
user
to input
has
prevent
he
Since
be
interpreter
as
A
order
For
execution.
This
East
A
process
known
as
escape.
For
example,
In
HTML,
THE
<
And
>
characters
are
often
escaped
by
conversion
them
In
their
unicode
hexadecimal
value
equivalents
<
And
>
has
prevent
them
Since
be
interpreter
as
HTML
Keywords
by
A
browser.
THE
Watch tower
researchers
demonstrate
how
Best
Adjust
failed
has
escape
characters
such
as
A
soft
hyphen
(with
unicode
value
0xAD)
And
instead
converts
he
has
A
not escaped
regular
hyphen
(0x2D),
A
character
It is
instrumental
In
a lot
coded
syntaxes.
THE
researchers
went
on
has
explain:
He
turns
out
that,
as
part
of
unicode
treatment,
PHP
will
apply
what is this
known
as
A
'best
adjust'
cartography,
And
usefully
assume
that,
When
THE
user
between
A
soft
hyphen,
they
In fact
destined
has...
A
critical
vulnerability
In
THE
PHP
programming
language
can
be
trivially
exploited
has
execute
malicious
coded
on
the Windows
devices,
security
researchers
warned
as
they
exhorted
those
affected
has
take
action
Before
THE
weekend
starts.
In
24
hours
of
THE
vulnerability
And
accompanying
patch
be
published,
researchers
Since
THE
non-profit
security
organization
Ghost server
reported
the Internet
analyzes
designed
has
identify
waiters
that
are
sensitive
has
attacks.
This—combined
with
(1)
THE
ease
of
exploitation,
(2)
THE
availability
of
proof of concept
attack
coded,
(3)
THE
gravity
of
from a distance
execution
coded
on
vulnerable
machines,
And
(4)
THE
widely
used
XAMPP
platform
be
vulnerable
by
default: a
guest
security
practitioners
has
urge
administrators
check
has
see
if
their
PHP
waiters
are
affected
Before
departure
THE
weekend.
When
"Best
Adjust"
is not it
"A
wicked
bug
with
A
very
simple
exploit – perfect
For
A
Friday
afternoon,"
researchers
with
security
farm
Watch tower
wrote.
CVE-2024-4577,
as
THE
vulnerability
East
follow up,
stems
Since
Errors
In
THE
path
PHP
converts
unicode
characters
In
ASCII.
A
functionality
built
In
the Windows
known
as
Best
Adjust
allow
attackers
has
to use
A
technical
known
as
argument
injection
has
pass
user-provided
to input
In
orders
accomplished
by
A
application,
In
This
case,
PHP.
Exploits
allow
attackers
has
bypasses
CVE-2012-1823,
A
critical
coded
execution
vulnerability
patched
In
PHP
In
2012.
"While
execution
PHP,
THE
team
did
not
notice
THE
Best fit
functionality
of
coding
conversion
In
THE
the Windows
Operating
system,"
researchers
with
Devcore,
THE
security
farm
that
discovered
CVE-2024-4577,
wrote.
"This
monitoring
allow
unauthenticated
attackers
has
bypasses
THE
previous
protection
of
CVE-2012-1823
by
specific
character
sequences.
Arbitrary
coded
can
be
accomplished
on
remote
PHP
waiters
through
THE
argument
injection
attack."
CVE-2024-4577
affected
PHP
only
When
he
short
In
A
fashion
known
as
CGI,
In
which
A
the Web
server
analysis
HTTP
requests
And
pass
them
has
A
PHP
scenario
For
treatment.
Even
When
PHP
is not it
together
has
Computer graphics
fashion,
However,
THE
vulnerability
can
always
be
exploitable
When
PHP
executables
such
as
php.exe
And
php-cgi.exe
are
In
directories
that
are
accessible
by
THE
the Web
server.
This
configuration
East
together
by
default
In
XAMPP
For
The Windows,
manufacturing
THE
platform
vulnerable
unless
he
has
has been
modified.
A
example,
Watch tower
note,
occurs
When
queries
are
analysis
And
sent
through
A
order
double.
THE
result:
A
harmless
request
such
as
http://host/cgi.php?foo=bar
could
be
converted
In
php.exe
cgi.php
foo=bar,
A
order
that
would be
be
accomplished
by
THE
main
PHP
engine.
No
escape
As
a lot
other
languages,
PHP
converts
certain
types
of
user
to input
has
prevent
he
Since
be
interpreter
as
A
order
For
execution.
This
East
A
process
known
as
escape.
For
example,
In
HTML,
THE
<
And
>
characters
are
often
escaped
by
conversion
them
In
their
unicode
hexadecimal
value
equivalents
<
And
>
has
prevent
them
Since
be
interpreter
as
HTML
Keywords
by
A
browser.
THE
Watch tower
researchers
demonstrate
how
Best
Adjust
failed
has
escape
characters
such
as
A
soft
hyphen
(with
unicode
value
0xAD)
And
instead
converts
he
has
A
not escaped
regular
hyphen
(0x2D),
A
character
It is
instrumental
In
a lot
coded
syntaxes.
THE
researchers
went
on
has
explain:
He
turns
out
that,
as
part
of
unicode
treatment,
PHP
will
apply
what is this
known
as
A
'best
adjust'
cartography,
And
usefully
assume
that,
When
THE
user
between
A
soft
hyphen,
they
In fact
destined
has...