Critical PHP Vulnerabilities Let Attackers Inject Commands : Patch Now

In Cybersecurity News - Original News Source is by Blog Writer

Post Sharing

Multiple vulnerabilities have been identified in PHP that are associated with Command Injection, Cookie Bypass, Account takeover, and Denial of Service.

The CVEs for these vulnerabilities have been given as CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, and CVE-2024-2757. The severity of these vulnerabilities is yet to be categorized.

However, the latest version of PHP 8.3.6 has been released, and it addresses all of these vulnerabilities alongside multiple features and bug fixes.

The complete changelog of PHP 8.3.6 can be seen in this link.

Critical PHP Vulnerabilities

According to the reports shared with Cyber Security News, these vulnerabilities affect all versions prior to 8.3.5, 8.2.18, 8.1.28, and 8.1.11.

The vulnerabilities identified are as follows:

  • Command Injection (CVE-2024-1874).
  • Cookie Bypass is due to an insufficient fix of CVE-2022-31629 (CVE-2024-2756).
  • Null byte acceptance leading to Account TakeOver (CVE-2024-3096).
  • Denial of Service (CVE-2024-2757).

Command Injection (CVE-2024-1874)

This particular vulnerability is due to the $command parameter of proc_open, which executes commands using its arguments.


Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by
other email security solutions. .

According to the proc_open documentation, PHP handles any necessary arguments when an array of command parameters are passed to the $command parameter and it will open the process directly without passing it to the shell.

Additionally, the GitHub advisory of this vulnerability also stated that there are reports about this “command injection vulnerability when executing the batch file.”

When executing the .bat or .cmd files, CreateProcess spawns the cmd.exe process that could lead to the command line arguments being parsed in cmd.exe. 

However, a proof-of-concept for this vulnerability has been published.

Cookie Bypass Due To Insufficient Fix Of CVE-2022-31629 (CVE-2024-2756)

CVE-2022-31629 allows a threat actor to set a standard insecure cookie in the victim’s browser that is then treated as a `__Host-` or `__Secure-` cookie by PHP applications.

This vulnerability was stated as fixed in versions 7.4.31, 8.0.24 and 8.1.11. However, researchers have found a bypass for this fix which is assigned with CVE-2024-2756.

To explain further, PHP replaces spaces( ), dots (.) and open square brackets ([ ]) with underscore (_) in the $_POST and $_GET arrays. This is also applicable to $_COOKIE.

This particular behavior can be exploited by a threat actor to overwrite the cookies written by the browser and can perform potential malicious operations like stealing or replacing sensitive cookies.

This vulnerability has been stated to be fixed by PHP in versions 8.1.28, 8.2.18 and 8.3.6. A proof-of-concept for this vulnerability has also been published.

As an interesting note, both of these CVEs were reported by the same researcher.

Null Byte Acceptance Leading To Account TakeOver (CVE-2024-3096)

This particular vulnerability can be exploited by sending the password_hash parameter with a null byte x00 that will result in the password_verify being returned as true.

This means that if a threat actor creates a password with a null string, he can then compromise a victim account by signing in with a blank string.

This vulnerability has also been addressed in PHP versions 8.1.28, 8.2.18 and 8.3.6. Additionally, a proof-of-concept has also been released.

Denial Of Service (CVE-2024-2757)

The mb_encode_mimeheader has been identified to be generating an endless loop when certain inputs are provided to the parameter.

Though, this vulnerability has not yet been fully described, it has been mentioned that this vulnerability could lead to a Denial of Service condition on affected instances. 

A threat actor can exploit this vulnerability by manipulating a user into providing untrusted inputs on the affected devices leading to the denial of service condition.

A proof-of-concept for this vulnerability has also been released.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.