In this post, we will discuss a newly discovered vulnerability in PHP, dubbed as CVE-2024-8926, affecting PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, and 8.3.* before 8.3.12. This vulnerability arises due to certain non-standard configurations of Windows codepages, which in turn, enables malicious users to bypass the security fixes implemented for CVE-2024-4577 and execute arbitrary PHP code on the server.
The exploit details, code snippets, and links to original references are included in the discussion to provide an in-depth understanding of the vulnerability.
Exploit Details
CVE-2024-8926 is a critical vulnerability associated with command injection related to Windows "Best Fit" codepage behavior. In specific conditions, this vulnerability allows an attacker to pass options to a PHP binary, which may lead to the disclosure of source code scripts and execution of arbitrary PHP code on the server.
To fully understand the impact of this vulnerability, let us briefly revisit CVE-2024-4577 (https://github.com/advisories/GHSA-vxpp-6299-mxw3). The latter was an issue that enabled command injection attacks in PHP when using a certain non-standard configuration of Windows codepages. The security patches provided for CVE-2024-4577 aimed to mitigate the issue, but CVE-2024-8926 demonstrates that the same command injection can still be exploited if an attacker takes advantage of the "Best Fit" codepage behavior.
Here's a code snippet illustrating the bypass
# PHP script vulnerable to CVE-2024-8926
# Filename: vulnerable.php
$unsafe_input = $_GET['input'];
$cmd = "echo " . $unsafe_input;
exec($cmd);
In this example, a malicious user could exploit the vulnerability by crafting a specific URL request
http://example.com/vulnerable.php?input=%2522+-r+phpinfo%2e%70%68%70
The encoded characters in the input value bypass the security measures implemented for CVE-2024-4577, ultimately allowing the execution of arbitrary PHP code.
Mitigation
To mitigate the risks posed by CVE-2024-8926, it is highly recommended to update your PHP installation to the latest patched versions: 8.1.30, 8.2.24, or 8.3.12. Additionally, ensure your web server follows secure coding practices, such as validating and sanitizing user input properly before including it in any commands or script executions.
References
1. CVE-2024-8926 details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8926
2. Original reference for CVE-2024-4577: https://github.com/advisories/GHSA-vxpp-6299-mxw3
PHP release announcements and changelogs
- PHP 8.1.30: https://www.php.net/releases/8.1.30.php
- PHP 8.2.24: https://www.php.net/releases/8.2.24.php
- PHP 8.3.12: https://www.php.net/releases/8.3.12.php
Conclusion
CVE-2024-8926 is a serious vulnerability in PHP that allows attackers to bypass the security measures implemented to fix CVE-2024-4577, leading to potential command injection attacks and unauthorized access to sensitive information. It is highly recommended to update PHP to the patched versions and follow secure coding practices to mitigate the risks associated with this vulnerability.
Timeline
Published on: 10/08/2024 04:15:10 UTC
Last modified on: 10/16/2024 18:35:59 UTC