Developers have been using PHP on Windows Servers for decades.
Judging by its popularity, PHP is considered secure to run on a Windows Server or other infrastructure.
A cybersecurity team named DEVCORE has revealed that a critical security flaw in the PHP system can be used to execute code on vulnerable Windows Server systems remotely.
This vulnerability is currently tracked as CVE-2024-4577 and is described as a CGI argument injection vulnerability.
Within 24 hours of public exposure to this vulnerability, several attacks were made against PHP servers in Egypt.
More importantly, the CVE-2024-4577 vulnerability can affect all versions of PHP installed on Windows.
Following this update from DEVCORE, PHP has released a new version, 8.3.8, to fix the vulnerability.
PHP has asked everyone to update their web server PHPs to the latest version.
According to the blog post that the security research team has published, this vulnerability can affect XAMPP for Windows by default, allowing attackers to access remote XAMPP servers.
According to a security expert named Orange Tsai, the Best-Fit feature on Windows is responsible for the vulnerability.
They added that the Best-Fit feature causing the vulnerability could cause further issues.
The DEVCORE team added that the PHP team overlooked the encoding conversion system within the Windows operating system.
This lack of encoding has allowed attackers to access the server arbitrarily.
Security researchers say this vulnerability may allow a threat actor to remotely access sensitive information from a server with zero authentication.
It could also cause a denial-of-service attack and run arbitrary code on the web server.
It has also been noticed that some locale versions of PHP are more vulnerable to this issue.
Therefore, if you have installed traditional Chinese, simplified Chinese or Japanese locales for PHP on your Windows server, you may have to look for immediate mitigation options.
It needs to be noted that the particular vulnerability is straightforward, and it is unclear how the team overlooked such a larger issue.
Regardless, the cyber security team has also recommended using Mod-PHP, FastCGI, or PHP-FPM instead of the outdated PHP CGI.
You can refer to the full mitigation document from DEVCORE here.
