PHP CGI Argument Injection (CVE-2024-4577)
Description
PHP versions running in CGI mode on Windows systems are vulnerable to argument injection due to improper handling of character encoding conversions. When PHP processes HTTP requests in CGI mode, specially crafted requests containing specific character sequences can bypass input validation, allowing attackers to inject arbitrary command-line arguments. This vulnerability (CVE-2024-4577) affects the way PHP interprets certain Unicode characters that Windows converts into ASCII characters used for command-line argument parsing, enabling remote code execution without authentication.
Remediation
Take the following immediate actions to remediate this vulnerability:
1. Upgrade PHP immediately to a patched version: 8.3.8 or later, 8.2.20 or later, or 8.1.29 or later. Download from the official PHP website.
2. If immediate patching is not possible, implement one of these temporary mitigations:
- Switch from CGI mode to a safer PHP handler such as FastCGI (PHP-FPM) or mod_php
- Configure web server rules to block requests containing suspicious character sequences (e.g., soft hyphens %AD)
- Restrict access to PHP scripts using network-level controls until patching is complete
3. Verify your configuration by checking if PHP is running in CGI mode. On Windows, check your web server configuration files (e.g., IIS or Apache) for CGI handler mappings.
4. Monitor for exploitation attempts by reviewing web server logs for unusual character sequences in request parameters, particularly Unicode characters that may be converted to dashes or other command-line argument indicators.
5. Conduct a security assessment to determine if the system has been compromised prior to patching, looking for unauthorized file modifications, new user accounts, or suspicious processes.