AppTrana Overview

Start Free with Advance Plan

AppTrana

Billing

CDN

Dashboard

Detect page

Monitor page

Protect page

API Discovery Feature

API Request to Purge CDN Data

API Scan Coverage for OWASP Top 10

ASN based IP Whitelisting

Advanced Behavioral DDoS

Analysis page - Access Trend Visualization

Analysis page - Attack Trend Visualisation

Asset Discovery

BOT Protection

Browser Protection

Configure Custom Error Pages in AppTrana

Configuring Custom Error Page in AppTrana

Configuring Custom Error and Maintenance Pages in AppTrana WAAP

Custom Bot Configuration

Customize Application Behavior with Bot Score

DNS Management

Enable and Configure Single Sign-On

Enabling SIEM Integration

False Positive Analysis Report on WAAP

Malware Scanning for File Uploads

Manage WAAP Email Alerts

Origin Health Check Mechanism

Restricted Admin User

Self Service Rules

SwyftComply

WAF Automated Bypass and Unbypass

Whitelist Vulnerabilities on the AppTrana WAAP

Add Application

Analysis

AppTrana API Protection - OWASP Top 10 of 2019

Apptrana Protection WAF Rules Coverage

Change Plan

Dashboard

Detect

How to Connect Your SIEM to AppTrana

Indusface Partner APIs

Manage

Monitor

Overview

Process of Mapping Alias Domain

Profile

Protect

Settings

Onboard into Indusface WAS

SAML Integration with Azure for Single Sign-On

API Security Audit

Application Audit[AA]

Asset Monitoring

Dashboard

Malware Monitoring[MM]

New Reporting Structure

Reports

Settings

Summary

Vulnerability Assessment[VA]

Reports and Settings

Summary & Dashboard

Website Settings

API Key Based - Scan Log Export

AcuRisQ – Risk Management with Advanced Risk Scoring

SIEM Integration with Sumo Logic

WAS Consulting License

WAS Defacement Checks

Indusface WAS Scanned Vulnerabilities

Indusface Product Newsletter - August 19

Indusface Product Newsletter - February 2023

Indusface Product Newsletter - June 20

Indusface Product Newsletter - March 2022

Indusface Product Newsletter - October 19

Indusface Product Newsletter - October 2021

Indusface Product Newsletter- April 2021

Indusface Product Newsletter- October 2022

Indusface Product Newsletter-January21

Product Newsletter of February 18

Product Newsletter of January 18

Product Newsletter of January 19

Product Newsletter of July 18

Product Newsletter of March 18

Product Newsletter of March 19

Product Newsletter of May 18

Product Newsletter of May 19

WAF Portal Revamp June 18

Vulnerability Report of April 23

Vulnerability Report of August 23

Vulnerability Report of December 23

Vulnerability Report of February 23

Vulnerability Report of January 23

Vulnerability Report of July 23

Vulnerability Report of June 23

Vulnerability Report of March 23

Vulnerability Report of May 23

Vulnerability Report of November 23

Vulnerability Report of October 23

Vulnerability Report of September 23

CRS Vs Zero Day Vulnerabilities - August 2016

CRS vs Zero Day Vulnerability - September 2016

CRS vs. Zero Day Vulnerability - December 2016

CRS vs. Zero Day Vulnerability - November 2016

CRS vs. Zero Day Vulnerability - October 2016

Vulnerability report for Apr 3rd - Apr 9th 17

Vulnerability report for April 17th - Apr 23rd 17

Vulnerability report of April 10th - April 16th

Vulnerability report for 27th Feb - 5th Mar

Vulnerability report for Mar 13th - Mar 19th

Vulnerability report for Mar 20th - Mar 26th

Vulnerability report for Mar 27th - Apr 2nd

Vulnerability report for Mar 6th - Mar 12th

Vulnerability report for 30th Jan - 19th Feb

Vulnerabilities detected from 2nd Jan - 8th Jan

Vulnerability report from 16th Jan - 29th Jan

Vulnerability Report of August 17

Vulnerability Report of December 17

Vulnerability Report of July 17

Vulnerability Report of June 17

Vulnerability Report of May 17

Vulnerability Report of November 17

Vulnerability Report of October 17

Vulnerability Report of September 17

Vulnerability Report of April 18

Vulnerability Report of August 18

Vulnerability Report of December 18

Vulnerability Report of February 18

Vulnerability Report of January 18

Vulnerability Report of July 18

Vulnerability Report of June 18

Vulnerability Report of March 18

Vulnerability Report of November 18

Vulnerability Report of October 18

Vulnerability Report of September 18

Vulnerability Reports of May 18

Vulnerability Report of April 19

Vulnerability Report of August 19

Vulnerability Report of December 19

Vulnerability Report of February 19

Vulnerability Report of January 19

Vulnerability Report of July 19

Vulnerability Report of June 19

Vulnerability Report of March 19

Vulnerability Report of May 19

Vulnerability Report of November 19

Vulnerability Report of October 19

Vulnerability Report of September 19

Vulnerability Report of April 20

Vulnerability Report of December 20

Vulnerability Report of February 20

Vulnerability Report of January 20

Vulnerability Report of July 20

Vulnerability Report of June 20

Vulnerability Report of March 20

Vulnerability Report of May 20

Vulnerability Report of November 20

Vulnerability Report of October 20

Vulnerability Report of Sep 20

Vulnerability Report of April 21

Vulnerability Report of August 21

Vulnerability Report of December 21

Vulnerability Report of February 21

Vulnerability Report of January 21

Vulnerability Report of July 21

Vulnerability Report of June 21

Vulnerability Report of March 21

Vulnerability Report of May 21

Vulnerability Report of November 21

Vulnerability Report of October 21

Vulnerability Report of September 21

Vulnerability Report of April 22

Vulnerability Report of August 22

Vulnerability Report of February 22

Vulnerability Report of January 22

Vulnerability Report of July 22

Vulnerability Report of June 22

Vulnerability Report of March 22

Vulnerability Report of May 22

Vulnerability Report of November 22

Vulnerability Report of October 22

Vulnerability Report of September 22

Zero-Day Vulnerability Report - December 2022

Vulnerability Report of April 2024

Vulnerability Report of August 2024

Vulnerability Report of February 2024

Vulnerability Report of January 2024

Vulnerability Report of July 2024

Vulnerability Report of June 2024

Vulnerability Report of March 2024

Vulnerability Report of May 2024

CVE-2024-1071 – Critical Vulnerability in Ultimate Member WordPress Plugin

CVE-2024-4577 – A PHP CGI Argument Injection Vulnerability in Windows Servers

CVE-2024-4879 & CVE-2024-5217 Exposed - The Risks of RCE in ServiceNow

CVE-2024-8517 – Unauthenticated Remote Code Execution in SPIP

Critical Apache OFBiz Zero-day AuthBiz (CVE-2023-49070 and CVE-2023-51467)

Hotjar's OAuth+XSS Flaw Exposes Millions at Risk of Account Takeover

ScreenConnect Authentication Bypass (CVE-2024-1709 & CVE-2024-1708)

Adobe ColdFusion Vulnerabilities Exploited in the Wild

Apache Struts 2 Vulnerability CVE-2023-50164 Exposed

Apache log4j RCE vulnerability

ApacheStructs_VG

CVE-2024-8190 – OS Command Injection in Ivanti CSA

HTTP/2 Rapid Reset Attack Vulnerability

Multiple Moveit Transfer Vulnerabilities

Oracle WebLogic Server Deserialization

Remote Unauthenticated API Access Vulnerabilities in Ivanti

Unpacking the Zimbra Cross-Site Scripting Vulnerability(CVE-2023-37580)

All Categories
Security Bulletin

Vulnerabilities 2024

CVE-2024-4577 – A PHP CGI Argument Injection Vulnerability in Windows Servers

CVE-2024-4577 – A PHP CGI Argument Injection Vulnerability in Windows Servers

Updated 4 months ago by vinugayathri.chinnasamy@indusface.com

On June 7, 2024, a new critical PHP vulnerability CVE-2024-4577 was revealed, mainly impacting XAMPP on Windows. It happens when PHP runs in CGI mode with specific language settings, like Chinese or Japanese.

The problem comes from how PHP handles certain characters, allowing attackers to inject code through web requests and take control of servers.

This vulnerability, if exploited, could lead to the execution of arbitrary code, a scenario with severe consequences for system integrity and data security.

Insights and Analysis- CVE-2024-4577

CVE-2024-4577 signifies a CGI argument injection vulnerability within PHP, capable of compromising Windows-based servers running PHP.

Risk Analysis

Severity: Critical CVSSv3.x: Base Score: 9.8 Critical

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSSv2: Base Score: 7.5 High Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploit available in public: Yes Exploit complexity: Low

The vulnerability impacts:

PHP 8.3 versions earlier than 8.3.8
PHP 8.2 versions earlier than 8.2.20
PHP 8.1 versions earlier than 8.1.29

These versions, if left unpatched, remain susceptible to exploitation, leaving servers vulnerable to unauthorized access and potential data breaches.

The vulnerability traces its roots to errors in character encoding conversions, particularly within the "Best Fit" feature on Windows systems. This oversight provides attackers with a loophole to bypass existing security measures, notably those designed to thwart CVE-2012-1823, a predecessor vulnerability.

Active Exploitation

Hackers try to exploit the vulnerability within a day of its disclosure. The availability of proof-of-concept (PoC) attack code and active scans online underscores the urgency to apply immediate patches.

Attackers are exploiting CVE-2024–4577 in different ways with two primary attack scenarios emerging:

· CGI Mode Exploitation:

This vulnerability can be directly exploited when configuring the Action directive in Apache HTTP Server to map HTTP requests to a PHP-CGI executable binary.

· XAMPP Vulnerability:

The default configuration of XAMPP, a widely used PHP development environment, is susceptible to exploitation. Even if PHP is not configured in CGI mode, simply exposing the PHP executable binary in the CGI directory makes it vulnerable.

Common examples include copying php.exe or php-cgi.exe to the /cgi-bin/ directory.

Mitigation Strategies

Mitigating CVE-2024-4577 requires a multi-faceted approach, involving proactive measures and timely patching. Key mitigation strategies include:

· Immediate Patching: System admins should quickly update PHP installations to the patched versions (8.3.8, 8.2.20, and 8.1.29) provided by the PHP Group.

· Disabling CGI Features: In vulnerable environments like XAMPP, disabling PHP CGI features mitigates the risk of exploitation.

· Modifying Server Configurations: Employing mod_rewrite rules can enhance server defenses against potential exploits, augmenting existing security measures.

· Rewrite Rules: For users who cannot upgrade PHP can use these Rewrite Rules to block attacks temporarily.

AppTrana WAAP Coverage for CVE-2024-4577

AppTrana WAAP ensures that our customers are shielded from the risks associated with CVE-2024-4577 and similar vulnerabilities from Day 0.

In addition to relying on patches from the software vendor, the Indusface managed security team has developed rules specifically designed to swiftly detect injection vulnerabilities in PHP and prevent exploitation attempts.

Rule ID	Category
124	PHP Injection Attacks Policy
99876	PHP Injection Attacks Policy

WAAP effectively blocks potential attacks by issuing a robust 406-status code

AppTrana WAAP has a proven track record of safeguarding organizations from cyber-attacks by addressing both zero-day exploits and known vulnerabilities at the earliest stages.

Leveraging the expertise of our managed service team, along with built-in DAST Scanner and autonomous patching capabilities, AppTrana WAAP ensures that our customers remain protected from both new and existing exploits.

CVE-2024-4577 – A PHP CGI Argument Injection Vulnerability in Windows Servers

Insights and Analysis- CVE-2024-4577

Active Exploitation

Mitigation Strategies

AppTrana WAAP Coverage for CVE-2024-4577

How did we do?

CVE-2024-1071 – Critical Vulnerability in Ultimate Member WordPress Plugin

CVE-2024-4879 & CVE-2024-5217 Exposed - The Risks of RCE in ServiceNow

You might also want to read

CVE-2024-8190 – OS Command Injection in Ivanti CSA

CVE-2024-1071 – Critical Vulnerability in Ultimate Member WordPress Plugin

Apache Struts 2 Vulnerability CVE-2023-50164 Exposed

Insights and Analysis- CVE-2024-4577

Active Exploitation

Mitigation Strategies

AppTrana WAAP Coverage for CVE-2024-4577

How did we do?

CVE-2024-1071 – Critical Vulnerability in Ultimate Member WordPress Plugin

CVE-2024-4879 & CVE-2024-5217 Exposed - The Risks of RCE in ServiceNow

You might also want to read

CVE-2024-8190 – OS Command Injection in Ivanti CSA

CVE-2024-1071 – Critical Vulnerability in Ultimate Member WordPress Plugin

Apache Struts 2 Vulnerability CVE-2023-50164 Exposed

Contact