// For flags

CVE-2024-8927

cgi.force_redirect configuration is bypassable due to the environment variable collision

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

A flaw was found in PHP. The configuration directive `cgi.force_redirect` prevents anyone from calling PHP directly with a URL such as http://host.example/cgi-bin/php/secretdir/script.php. However, in certain uncommon configurations, an attacker may be able to bypass this restriction and access php-cgi directly.

In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

It was discovered that PHP incorrectly handled parsing multipart form data. A remote attacker could possibly use this issue to inject payloads and cause PHP to ignore legitimate data. It was discovered that PHP incorrectly handled the cgi.force_redirect configuration option due to environment variable collisions. In certain configurations, an attacker could possibly use this issue bypass force_redirect restrictions.

*Credits: Owen Gong, RyotaK
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-09-17 CVE Reserved
  • 2024-10-02 CVE Published
  • 2025-03-18 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-1220: Insufficient Granularity of Access Control
CAPEC
  • CAPEC-252: PHP Local File Inclusion
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
PHP Group
Search vendor "PHP Group"
 PHP
Search vendor "PHP Group" for product "PHP"
 >= 8.1.0 < 8.1.30
Search vendor "PHP Group" for product "PHP" and version " >= 8.1.0 < 8.1.30"
en
Affected
PHP Group
Search vendor "PHP Group"
 PHP
Search vendor "PHP Group" for product "PHP"
 >= 8.2.0 < 8.2.24
Search vendor "PHP Group" for product "PHP" and version " >= 8.2.0 < 8.2.24"
en
Affected
PHP Group
Search vendor "PHP Group"
 PHP
Search vendor "PHP Group" for product "PHP"
 >= 8.3.0 < 8.3.12
Search vendor "PHP Group" for product "PHP" and version " >= 8.3.0 < 8.3.12"
en
Affected