Host-/Secure- cookie bypass due to partial CVE-2022-31629 fix

Kurzinfo

Veroeffentlicht: 2024-04-11 17:12 UTC Importiert: 2026-05-14 18:44 UTC CVSS: 6.5 Quelle-ID: php_sec uid_hash: 211c00bb76466caf012d66862f0afc346e65a0cad76c75da509a44b7d61220f6

PHP Security (php/php-src GHSA)

Inhalt

Summary

Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.

Details

The vulnerability is identical to one previously described in https://bugs.php.net/bug.php?id=81727. Unfortunatly, since CVE-2022-31629 got only partially fixed in PHP >8.1.11, cookies starting with _[Host- are parsed by PHP applications as __Host-. Notice that I reported this vulnerability multiple times via email after the fix for CVE-2022-31629 landed (I am the original reporter of that CVE), but I guess that the message got lost.

PoC

$ echo ' ' > x

$ docker run -p 8080:8080 --rm -v $(pwd):$(pwd) php:latest php -S 0.0.0.0:8080 $(pwd)/x

$ curl -b '_[Host-x=y' localhost:8080/x
{"__Host-x":"y"}

Verknuepfte CVEs

CVE-ID	Severity (CVE.org)	CVSS (CVE.org)	EPSS	EPSS-%	Veroeffentlicht (CVE.org)
CVE-2022-31629	MEDIUM	6.5	-	-	2022-09-28
CVE-2024-2756	-	-	-	-

Quellen-Details

Bezeichnung	Name	Kategorie	Tags	Zielgruppe	Sprache	Feed-URL
PHP Security (php/php-src GHSA)	php_sec	vendor_advisory	php, runtime	-	de	https://github.com/php/php-src/security/advisories

Zurueck zur Eintrags-Liste