This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: PHP `proc_open()` command injection due to insufficient escaping. π **Consequences**: Attackers can execute arbitrary commands on Windows shells.β¦
π‘οΈ **Root Cause**: CWE-116 (Improper Encoding/Escaping). π **Flaw**: When using array syntax in `proc_open()`, input validation fails if the command name has trailing spaces, bypassing previous fixes.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: PHP Group products. π **Versions**: 8.1.* (before 8.1.29), 8.2.* (before 8.2.20), 8.3.* (before 8.3.8). β οΈ **Note**: Older patches were bypassable via trailing spaces.
Q4What can hackers do? (Privileges/Data)
π **Privileges**: System-level access (User context of the PHP process). π **Data**: Full read/write access to server files, databases, and environment variables. π₯οΈ **Action**: Arbitrary command execution on Windows.
π£ **Public Exp**: YES. π **PoCs**: Available on GitHub (e.g., ox1111, Tgcohce). π **Status**: Active exploitation techniques documented, specifically targeting the trailing space bypass.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for `proc_open()` calls with dynamic array inputs. π **Tooling**: Use SAST/DAST tools detecting CWE-116. π **Version**: Verify PHP version against the affected list (8.1-8.3 pre-patch versions).
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed**: YES. π **Patch**: Upgrade to PHP 8.1.29+, 8.2.20+, or 8.3.8+. π‘οΈ **Vendor**: PHP Group released security advisories (GHSA-pc52-254m-w9w7).
Q9What if no patch? (Workaround)
π§ **Workaround**: Avoid `proc_open()` with user-controlled arrays. π **Mitigation**: Strict input validation/sanitization. π« **Alternative**: Use safer functions like `exec()` with strict whitelisting if possible.