This is a side story/extra bug while I’m preparing for my Black Hat USA presentation. I believe most of the details have already been covered in the official advisory (should be published soon). Although PHP-CGI has gradually been phased out over time, this vulnerability affects XAMPP for Windows by default, allowing unauthenticated attackers to execute arbitrary code on remote XAMPP servers through specific character sequences.

Given the widespread use of PHP and XAMPP in the web ecosystem, I urge everyone to check if they are affected and update their systems accordingly. Please refer to the Security Alert published by DEVCORE for mitigation measures.

This vulnerability is incredibly simple, but that’s also what makes it interesting. Who would have thought that a patch, which has been reviewed and proven secure for the past 12 years, could be bypassed due to a minor Windows feature? I believe this feature could lead to more potential vulnerabilities. If you use this technique, don’t forget to reference to this article! 😉