Multiple vulnerabilities in PHP



Published: 2024-09-27
Risk High
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2024-8926
CVE-2024-8927
CVE-2024-9026
CVE-2024-8925
CWE-ID CWE-78
CWE-254
CWE-778
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
PHP
Universal components / Libraries / Scripting languages

Vendor PHP Group

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) OS Command Injection

EUVDB-ID: #VU97691

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-8926

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in PHP-CGI implementation. A remote attacker can send specially crafted HTTP request to the application and execute arbitrary OS commands on the system.

Note, the vulnerability exists due to incomplete fix for #VU91106 (CVE-2024-4577).

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PHP: 8.0.0 - 8.3.11

CPE2.3 External links

http://www.php.net/ChangeLog-8.php#8.1.30
http://www.php.net/ChangeLog-8.php#8.2.24
http://www.php.net/ChangeLog-8.php#8.3.12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security features bypass

EUVDB-ID: #VU97746

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-8927

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to environment variable collision, which can lead to cgi.force_redirect bypass. A remote attacker can bypass implemented security restriction and gain unauthorized access to the application.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

PHP: 8.0.0 - 8.3.11

CPE2.3 External links

http://www.php.net/ChangeLog-8.php#8.1.30
http://www.php.net/ChangeLog-8.php#8.2.24
http://www.php.net/ChangeLog-8.php#8.3.12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Insufficient Logging

EUVDB-ID: #VU97747

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-9026

CWE-ID: CWE-778 - Insufficient Logging

Exploit availability: No

Description

The vulnerability allows an attacker to alter log files.

The vulnerability exists due to an unspecified error, which can lead to logs from child processes to be altered.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PHP: 8.0.0 - 8.3.11

CPE2.3 External links

http://www.php.net/ChangeLog-8.php#8.1.30
http://www.php.net/ChangeLog-8.php#8.2.24
http://www.php.net/ChangeLog-8.php#8.3.12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

EUVDB-ID: #VU97748

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-8925

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input when parsing multipart form data. A remote attacker can pass specially crafted input to the application and bypass implemented security restrictions.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PHP: 8.0.0 - 8.3.11

CPE2.3 External links

http://www.php.net/ChangeLog-8.php#8.1.30
http://www.php.net/ChangeLog-8.php#8.2.24
http://www.php.net/ChangeLog-8.php#8.3.12


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###