Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-4577

Content Spoofing
Affects
PHP
>=8.1.0 <8.1.29, >=8.2.0 <8.2.20, >=8.3.0 <8.3.8
in
PHP
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

PHP is a widely used scripting language used mostly for web development. It lets you create dynamic and interactive web applications by embedding it in HTML. It is widely used for tasks like handling forms, session management, and interacting with databases, making it a key component of many content management systems like Wordpress and Drupal.

A command injection vulnerability (CVE-2024-4577) has been identified in PHP that comes from the misinterpretation of characters in certain Windows code pages. This flaw allows attackers to inject arbitrary command-line inputs, which are then processed by PHP. As a result, the attacker can execute unauthorized system commands.

Per OWASP: Command Injection is an attack where arbitrary commands are executed on a host system through a vulnerable application. This occurs when user input, such as data from forms or headers, is passed unsafely to a system shell. The attack exploits insufficient input validation, allowing the attacker to execute commands with the application’s privileges. Command injection leverages the default functionality of the application to run system commands.

This issue affects multiple versions of PHP.

Details

Module Info

Vulnerability Info

This Critical-severtity vulnerability comes from the “Best-Fit” behavior in certain Windows code pages, which misinterprets special characters. This misinterpretation allows attackers to inject malicious command-line inputs, which are processed by the PHP-CGI. As a result, the attacker can execute arbitrary PHP code, potentially leading to unauthorized access or exposure of sensitive information. 

Credits

Mitigation

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications to the latest PHP versions.
  • Leverage a commercial support partner like ZendPHP through HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2024-4577
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-4577
PROJECT Affected
PHP
Versions Affected
>=8.1.0 <8.1.29, >=8.2.0 <8.2.20, >=8.3.0 <8.3.8
Published date
September 30, 2024
≈ Fix date
September 30, 2024
Fixed in
PHP
Severity
Critical
Category
Content Spoofing