Advisory 2024-06/01 PHP CGI Argument Injection Vulnerability
Vulnerability type | Argument injection vulnerability |
Severity factors | This is a critical vulnerability. Specific severity ratings have not yet been published. |
Versions affected | FileCloud versions 22.1 through 23.232.1 on Windows Server are affected. FileCloud deployments on Linux and FileCloud online are not affected; no action is required for these platforms. |
Version fixed | The next major version of FileCloud, version 23.241, which has not yet been released, will include an updated version of PHP to fix this. |
Description
A critical remote code execution vulnerability affects older PHP versions prior to 8.3.8, 8.2.20, and 8.1.29 configured in CGI mode. The vulnerability arises from PHP's misinterpretation of soft hyphens (character code 0xAD) as regular hyphens, allowing attackers to bypass security by injecting commands into the PHP interpreter. Although FileCloud does not use PHP-CGI, the module is included in the installation package, which exposes FileCloud to the vulnerability.
Modes of Exploitation:
- Argument Injection: Attackers can manipulate URLs with soft hyphens that PHP's CGI mode misinterprets as command-line arguments, leading to command execution.
- Using Locales: Primarily identified in Chinese and Japanese locales, this vulnerability could potentially affect other locales. All FileCloud customers are advised to follow the mitigation steps outlined below.
Fix
- If you are using FileCloud versions 22.1 through 23.232.1 on Windows Server, follow the steps below to address this critical vulnerability. When you receive notification that FileCloud 23.241 has been released, we recommend updating to that version.
- If you are using FileCloud on Linux or FileCloud online, no action is required.
What you should do to fix this vulnerability
For FileCloud versions 22.1, 23.1, 23.232, and 23.232.1
During your organization's scheduled maintenance window:
- Locate the FileCloud XAMPP installation folder on your Windows server.
- Go to C:\xampp\apache\conf\extra\ and open httpd-xampp.conf.
- In the file, find the following lines:
ScriptAlias /php-cgi/ "/xampp/php/" <Directory "/xampp/php"> AllowOverride None Options None Require all denied <Files "php-cgi.exe"> Require all granted </Files> </Directory>
- Comment out these lines by prefixing them with a #, as shown below, then save and close the file:
#ScriptAlias /php-cgi/ "/xampp/php/" #<Directory "/xampp/php"> # AllowOverride None # Options None # Require all denied # <Files "php-cgi.exe"> # Require all granted # </Files> #</Directory>
- Open the FileCloud control panel and restart the web server.
Once the server restarts, the fix is complete.
For FileCloud Versions earlier than v22.1:
- Upgrade FileCloud to version v23.232.1.
- After upgrading, follow the steps above.