GHSA-wpj3-hf5j-x4v4

Опубликовано: 11 апр. 2024

Источник: github

Github: Не прошло ревью

Описание

__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix

Summary

Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.

Details

The vulnerability is identical to one previously described in https://bugs.php.net/bug.php?id=81727. Unfortunatly, since CVE-2022-31629 got only partially fixed in PHP >8.1.11, cookies starting with _[Host- are parsed by PHP applications as __Host-. Notice that I reported this vulnerability multiple times via email after the fix for CVE-2022-31629 landed (I am the original reporter of that CVE), but I guess that the message got lost.

PoC

$ echo '<?php echo(json_encode($_COOKIE)); ?>' > x $ docker run -p 8080:8080 --rm -v $(pwd):$(pwd) php:latest php -S 0.0.0.0:8080 $(pwd)/x $ curl -b '_[Host-x=y' localhost:8080/x {"__Host-x":"y"}

Пакеты

Наименование

Отсутствует

Затронутые версииВерсия исправления

> 8.1.11, < 8.1.28

8.1.28

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.2.18

8.2.18

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.3.5

8.3.6

EPSS

Процентиль: 92%

0.08774

Низкий

CVE ID

CVE-2024-2756

Дефекты

CWE-20

Связанные уязвимости

CVE-2024-2756

CVSS3: 6.5

ubuntu

около 1 года назад

Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.