Owen Gong

Name of the Vulnerable Software and Affected Versions: PHP versions 8.1.* through 8.1.29 PHP versions 8.2.* through 8.2.23 PHP versions 8.3.* through 8.3.11 Description: The issue is related to errors in security settings, specifically with the `cgi.force redirect` configuration. In certain scenarios, the content of the `HTTP REDIRECT STATUS` variable can be controlled by the request submitter via HTTP headers, leading to the `cgi.force redirect` option not being correctly applied. This may result in arbitrary file inclusion in PHP. The `HTTP REDIRECT STATUS` variable is used to check whether the CGI binary is being run by the HTTP server. Recommendations: For PHP versions 8.1.* through 8.1.29, update to version 8.1.30 or later. For PHP versions 8.2.* through 8.2.23, update to version 8.2.24 or later. For PHP versions 8.3.* through 8.3.11, update to version 8.3.12 or later. As a temporary workaround, consider restricting access to the `HTTP REDIRECT STATUS` variable to minimize the risk of exploitation. Avoid using the `HTTP REDIRECT STATUS` variable in sensitive configurations until the issue is resolved.