Can you explain this vulnerability to me?

This vulnerability is a backdoor in PHPStudy versions 2016 through 2018 that allows unauthenticated remote attackers to execute arbitrary PHP code on affected systems. The backdoor listens for base64-encoded PHP code sent in the Accept-Charset HTTP header of incoming requests, decodes it, and executes it without proper validation. This enables attackers to run any PHP code remotely as the web server user, compromising the system. [1]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability allows attackers to execute arbitrary PHP code remotely without authentication, which can lead to full compromise of the affected system. Attackers can run malicious code, potentially gaining control over the server, accessing sensitive data, modifying or deleting files, and using the server for further attacks. [1]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by sending a GET request to the target URI (default /l.php) with a random alphanumeric string encoded in the Accept-Charset HTTP header. If the response body contains this string, the backdoor is confirmed present. For example, using curl: curl -H "Accept-Charset: <base64-encoded-random-string>" http://target/l.php and checking if the response contains the decoded string. [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include disabling or uninstalling affected PHPStudy versions (2016 through 2018), restricting access to the vulnerable service, and applying any available patches or updates from the vendor. Additionally, monitoring logs for suspicious Accept-Charset headers and blocking requests containing base64-encoded payloads can help reduce risk until a full patch is applied. [1]

Useful 0 Not Useful 0