Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-w3w9-vrf5-8mx8: ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent

Impact

In ReactPHP’s HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host- and __Secure- confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information.

Patches

  • https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6 - Fixed in reactphp/http v1.7.0

Workarounds

Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected Cookie request headers.

References

  • CVE-2020-7070, https://bugs.php.net/bug.php?id=79699 and https://github.com/php/php-src/commit/6559fe912661ca5ce5f0eeeb591d928451428ed0
  • CVE-2020-8184, https://hackerone.com/reports/895727 and https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c
  • Originally introduced via https://github.com/reactphp/http/pull/175

Credits

  • Thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this security advisory

For more information

If you have any questions or comments about this advisory:

ghsa
Open in Source
#vulnerability#git#php

ReactPHP’s HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent

Moderate severity GitHub Reviewed Published Sep 16, 2022 in reactphp/http • Updated Sep 16, 2022

Package

composer react/http (Composer)

Affected versions

>= 0.7.0, < 1.7.0

Patched versions

1.7.0

Description

Impact

In ReactPHP’s HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host- and __Secure- confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information.

Patches

  • reactphp/http@663c9a3 - Fixed in reactphp/http v1.7.0

Workarounds

Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected Cookie request headers.

References

  • CVE-2020-7070, https://bugs.php.net/bug.php?id=79699 and php/php-src@6559fe9
  • CVE-2020-8184, https://hackerone.com/reports/895727 and rack/rack@1f5763d
  • Originally introduced via reactphp/http#175

Credits

  • Thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this security advisory

For more information

If you have any questions or comments about this advisory:

References

  • GHSA-w3w9-vrf5-8mx8
  • https://nvd.nist.gov/vuln/detail/CVE-2022-36032
  • reactphp/http#175
  • reactphp/http@663c9a3
  • https://github.com/reactphp/http/releases/tag/v1.7.0

WyriHaximus published the maintainer security advisory

Sep 6, 2022

Severity

Moderate

5.3

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Weaknesses

CWE-20 CWE-565

CVE ID

CVE-2022-36032

GHSA ID

GHSA-w3w9-vrf5-8mx8

Source code

reactphp/http

Credits

  • lavish

Checking history

See something to contribute? Suggest improvements for this vulnerability.

Related news

CVE-2022-36032: Add cookies to request object by legionth · Pull Request #175 · reactphp/http

ReactPHP HTTP is a streaming HTTP client and server implementation for ReactPHP. In ReactPHP's HTTP server component versions starting with 0.7.0 and prior to 1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like `__Host-` and `__Secure-` confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. This issue is fixed in ReactPHP HTTP version 1.7.0. As a workaround, Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected `Cookie` request headers.

ghsa: Latest News

GHSA-qqwr-j9mm-fhw6: deno_doc's HTML generator vulnerable to Cross-site Scripting
ghsa