FrankenPHP Path Confusion Vulnerability in CGI Handling Allows Arbitrary File Execution

A path confusion vulnerability has been identified in FrankenPHP versions prior to 1.11.2. The issue arises in the application's CGI path splitting logic, which improperly processes Unicode characters during case conversion. This flaw can lead to the execution of unintended files as PHP scripts, potentially allowing for remote code execution.

Impact

Exploitation of this vulnerability can result in arbitrary file execution, with the executed file potentially containing malicious PHP code, leading to remote code execution on the server.

Reproduction

The vulnerability can be reproduced by uploading a file with a .txt extension that contains malicious PHP code, such as a web shell, to a location within the document root. Then, a request can be crafted that includes specific multi-byte Unicode characters, such as 'Ⱥ', to manipulate the 'SCRIPT_FILENAME' and 'SCRIPT_NAME' variables. This causes FrankenPHP to execute the uploaded .txt file as a PHP script, executing the embedded malicious code.

Remediation

Users are advised to upgrade to FrankenPHP version 1.11.2, which addresses this vulnerability. Additionally, ensure that user-uploaded files are stored outside of the public document root and implement strict Web Application Firewall (WAF) rules to reject requests with certain multi-byte Unicode characters in the URL path.