Critical PHP Vulnerability Found in XAMPP

A new vulnerability in XAMPP has been identified, which enables attackers to gain control of systems that are running PHP in CGI mode. This issue primarily impacts Windows-based installations that are configured to use Chinese or Japanese languages.

By Marco Rizal - Editor, Journalist 2 Min Read
Share this post?
Share this post?

A new vulnerability in XAMPP has been identified, which enables attackers to gain control of systems that are running PHP in CGI mode. This issue primarily impacts Windows-based installations that are configured to use Chinese or Japanese languages.

A new bug has been discovered in XAMPP, a widely used utility for rapidly configuring web servers.

Security expert Orange Tsai tweeted about it, stating that it is a default feature of XAMPP that impacts PHP.

This flaw has the potential to allow malicious individuals to gain control of your computer if it is operating in CGI mode with PHP and XAMPP.

XAMPP is used by many administrators and developers to operate web servers that incorporate Apache, PHP, and other tools.

This vulnerability is severe in that it has the potential to enable remote code execution (RCE), which enables an adversary to execute any command on your system.

The problem has been observed exclusively in PHP installations that operate in CGI mode and are based on Windows.

It impacts computers that are configured to operate in Japanese or Chinese (both simplified and traditional).

However, the security expert cautions that other languages may also be at risk and recommends that all users update to the most recent PHP version, which has resolved the issue.

Orange Tsai discovered that the flaw enables attackers to deceive the system into believing that a special character is a standard one.

This character, referred to as a soft hyphen, has the potential to introduce detrimental commands. This is due to the fact that PHP fails to properly convert these characters from Unicode to ASCII.

Usually, PHP safeguards against malicious commands by using escape sequences to obscure hazardous characters.

However, in this case, a soft hyphen (which appears to be a standard dash but is not) can circumvent this safeguard.

The soft hyphen is interpreted by PHP as a genuine hyphen, which permits the execution of detrimental commands.

The good news is that a solution is readily accessible. It is recommended that all individuals promptly update their PHP installations.

This is particularly critical for individuals who are utilizing the affected Chinese or Japanese settings, as the flaw is straightforward to exploit.

Leave a comment