Security
Headlines
HeadlinesLatestCVEs

Headline

Patch released for cross-domain cookie leakage flaw in Guzzle

Drupal rolls out update for issue that is contingent on cookie middleware being enabled

PortSwigger
#vulnerability#web#git#php

Adam Bannister 27 May 2022 at 14:10 UTC

Drupal rolls out update for issue that is contingent on cookie middleware being enabled

The maintainers of Guzzle, the popular HTTP client for PHP applications, have addressed a high severity vulnerability leading to cross-domain cookie leakage.

Drupal, the open source content management system (CMS), is among the applications that use the third-party library and has released software updates addressing the issue.

The flaw resides in Guzzle’s cookie middleware, which is disabled by default, “so most library consumers will not be affected by this issue”, reads a GitHub security advisory published by a Guzzle maintainer on Wednesday (May 25).

The cookies crumble

Tracked as CVE-2022-29248, the bug centers on a failure to check if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header. This would allow “a malicious server to set cookies for unrelated domains”, continues the advisory.

“For example, an attacker at www.example.com might set a session cookie for api.example.net, logging the Guzzle client into their account and retrieving private API requests from the security log of their account.”

Catch up on the latest PHP security news

Guzzle is used to send HTTP requests from PHP programs for various use-cases.

The PSR-7-compatible library, which is approaching 22,000 stars on GitHub, is also used by Adobe’s e-commerce platform, Magento, among other applications, as well as by Laravel, the popular PHP web application framework.

However, only users that “manually add the cookie middleware to the handler stack or construct the client with are affected”, explained the advisory. They must also use the same Guzzle client to call multiple domains and have redirect forwarding enabled to be vulnerable.

Guzzle maintainers have fixed the flaw in versions 6.5.6, 7.4.3, and 7.5.0, and advised users to ensure cookie middleware is disabled unless cookie support is required.

Drupal updates

In a security advisory issued on the same day as its Guzzle counterpart, Drupal said the Guzzle vulnerability “does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites”.

The issue has been patched in Drupal versions 9.3.14 and 9.2.20, with previous Drupal 9 versions no longer supported. Drupal 7 is not affected by the flaw.

Drupal classified the bug as ‘moderately critical’ on its own severity scale, assigning a score of 13 out of 25.

RECOMMENDED Security ‘researcher’ hits back against claims of malicious CTX file uploads

Related news

CVE-2022-29248: [7.x] Fix cross-domain cookie leakage (#3018) · guzzle/guzzle@74a8602

Guzzle is a PHP HTTP client. Guzzle prior to versions 6.5.6 and 7.4.3 contains a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header, allowing a malicious server to set cookies for unrelated domains. The cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. Guzzle versions 6.5.6 and 7.4.3 contain a patch for this issue. As a workaround, turn off the cookie middleware.

GHSA-cwmx-hcrq-mhc3: Cross-domain cookie leakage in Guzzle

### Impact Previous version of Guzzle contain a vulnerability with the cookie middleware. The vulnerability is that it is not checked if the cookie domain equals the domain of the server which sets the cookie via the `Set-Cookie` header, allowing a malicious server to set cookies for unrelated domains. For example an attacker at `www.example.com` might set a session cookie for `api.example.net`, logging the Guzzle client into their account and retrieving private API requests from the security log of their account. Note that our cookie middleware is disabled by default, so most library consumers will not be affected by this issue. Only those who manually add the cookie middleware to the handler stack or construct the client with `['cookies' => true]` are affected. Moreover, those who do not use the same Guzzle client to call multiple domains and have disabled redirect forwarding are not affected by this vulnerability. ### Patches Affected Guzzle 7 users should upgrade to Guzzle 7.5.0...

PortSwigger: Latest News

We’re going teetotal: It’s goodbye to The Daily Swig