Security researchers have demonstrated a devastating new attack method that allows cybercriminals to execute remote code on internal corporate networks and development servers simply by tricking users into visiting a malicious website.
The attack combines a critical PHP vulnerability discovered by security researcher Orange Tsai with DNS rebinding techniques, creating a significant threat to enterprise security perimeters that rely on network isolation for protection.
Devcore Security Researcher Orange Tsai discovered and reported a critical Remote Code Execution (RCE) vulnerability, CVE-2024-4577, to the PHP official team. Tsai's breakthrough came from reviving what security experts considered a "dead" vulnerability from 2012.
The original flaw, CVE-2012-1823, allowed attackers to inject malicious command-line arguments into PHP applications by appending dash-prefixed parameters to URLs. While PHP developers patched this issue over a decade ago by blocking arguments starting with dashes, Tsai discovered a clever bypass that exploits how Windows handles character encoding conversions.
The vulnerability specifically affects Windows systems running PHP in CGI mode with East Asian language locales, including Traditional Chinese, Simplified Chinese, and Japanese.
The attack leverages Windows' "Best-Fit Mapping" feature, which converts problematic Unicode characters to similar alternatives during conversion to legacy code pages. By using a soft hyphen character (U+00AD) in URLs, attackers can circumvent PHP's security filters because Windows silently converts the soft hyphen to a regular hyphen, effectively re-enabling the original injection vector.
Breaking Browser Security with DNS Rebinding
The second component of this attack chain exploits DNS rebinding, a technique that subverts the browser's Same-Origin Policy (SOP). The Same-Origin Policy normally prevents scripts from one website from accessing resources on another domain.
DNS rebinding tricks browsers into believing malicious scripts hosted on an attacker's domain are actually being served from localhost or internal network addresses.
A security researcher, Mairon (@ZeroMemoryEx), demonstrated that the attack unfolds in a deceptively simple sequence.
When a victim visits a malicious website, the domain initially resolves to the attacker's external server, allowing the malicious page to load normally. However, the attacker then dynamically updates the DNS record to point to internal IP addresses like 127.0.0.1 or 192.168.x.x. Once the DNS Time-to-Live (TTL) expires—often just seconds—the victim's browser still believes it's communicating with the original domain, but requests now target internal services.
This attack methodology represents a shift in how cybercriminals can breach corporate networks. Traditional security perimeters, which rely on firewalls and network segmentation to protect internal resources, become less effective against browser-based attacks that originate from legitimate user sessions.
The technique particularly threatens XAMPP installations, a popular development environment used by developers worldwide. The vulnerability affects XAMPP for Windows by default, allowing unauthenticated attackers to execute arbitrary code on remote XAMPP servers through specific character sequences.
Many organisations run XAMPP on internal development servers, staging environments, or production systems, making them vulnerable to this attack chain.
The researchers' proof-of-concept demonstrates how attackers can automatically scan internal network ranges, identify vulnerable PHP installations, and execute arbitrary code through a single malicious webpage visit. This capability transforms employee web browsers into potential entry points for network compromise.
How This Works
Understanding this attack requires examining both its technical sophistication and practical implementation. The malicious website first serves JavaScript code that automates the entire attack sequence.
Using services like DuckDNS, attackers can dynamically control DNS resolution through API calls, enabling real-time domain rebinding. Once the DNS rebinding occurs, the attack script begins scanning common internal IP ranges such as 192.168.0.0/24 and 10.0.0.0/24. The script uses the 'no-cors' fetch mode to bypass Cross-Origin Resource Sharing restrictions, allowing it to probe internal services without triggering browser security warnings.
When the script identifies a vulnerable PHP-CGI installation, it crafts a malicious request using the soft hyphen bypass technique.
For example, instead of sending the blocked request "script.php?-s", the attack uses "script.php?%ADs"—the URL-encoded soft hyphen character. Windows' character conversion process silently transforms this into the dangerous "-s" parameter, enabling code execution.
Mitigation Strategies
Security experts recommend a multi-layered defense approach. Organisations should immediately update PHP installations to the latest versions and consider migrating away from PHP-CGI to more secure alternatives like PHP-FPM. Network administrators should implement Host header verification and enforce TLS connections to internal services.
Browser-based defenses include implementing strict Content Security Policy (CSP) headers and considering the deployment of DNS filtering solutions that can detect and block suspicious DNS rebinding attempts.