What is the Critical PHP Vulnerability?
Critical code execution vulnerability has been found in PHP running on Windows through Apache CGI or XAMP. The issue stems from the way PHP converts unicode characters into ASCII on Windows using the Best Fit feature from a very old vulnerability (CVE-2012-1823). It’s possible to exploit this issue via an argument injection to pass user-supplied input into commands which is then executed by PHP.
Which PHP versions are vulnerable?
This vulnerability affects all versions of PHP installed on the Windows operating system.
- PHP 8.3 < 8.3.8
- PHP 8.2 < 8.2.20
- PHP 8.1 < 8.1.29
Branches of PHP 8.0, PHP 7, and PHP 5 are End-of-Life, and are no longer maintained anymore, but see below on the suggested mitigation.
How do I fix the PHP vulnerability?
Update PHP; updated versions of PHP 8.3, 8.2, and 8.1 were released on June 6.
Apache:
If your major version of PHP has not been updated this can be mitigated in Apache by not using PHP-CGI, seek to use mod-PHP or PHP-FPM instead. Look for:AddHandler cgi-script .php
Action cgi-script "/cgi-bin/php-cgi.exe"
OrSetHandler application/x-httpd-php-cgi
XAMPP:
Make sure the PHP binary is not exposed in CGI directory (as per the default setup) either by being present in the directory or by using ScriptAlias