Unvalidated Follow redirects in guzzle/guzzle

Valid

Reported on

May 25th 2022


Description

There is some kind of vulnerability class in the following redirect feature, And Guzzle is also affected by this kind of vulnerability.

If the developer wants to get a URL from a third-party host and the third-party URL is also redirected to another URL, then the first crafted cookies in Guzzle will be disclosed to the final host. it is a Security issue that the guzzle should not send a cookie header in a redirection.

previous CVEs: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/ https://huntr.dev/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac/

Proof of Concept

https://drive.google.com/file/d/1MtpKQKClRBo69dvuI-xJzzPuuolk2y5s/view?usp=sharing

Impact

The cookies and important HTTP headers can be leaked to another party or even attacker ( e.g. there is a open redirect in third party site)

We are processing your report and will contact the guzzle team within 24 hours. a month ago
amammad
a month ago

Researcher


Please, tell me to delete the POC video before validation, Thanks ( Or maybe invalidation :) )

amammad
a month ago

Researcher


The Fix can is this :

don't redirect sensitive Headers in redirection to another host.

We have contacted a member of the guzzle team and are waiting to hear back a month ago
Graham Campbell validated this vulnerability a month ago

Thanks for the report. I have discussed this internally, and we agree there is an issue here. We'll co-ordinate internally and with stakeholders to provide a CVE and a patch for this issue. I will update you again within the next 10 working days.

amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
amammad
a month ago

Researcher


Hey Graham, Can I delete the video POC if it is possible?

Jamie Slome
a month ago

Admin


@grahamcampbell - our system has automatically assigned a CVE for this report. Would you like us to keep/remove this? Furthermore, for future reports, what would you/your team prefer?

We have sent a fix follow up to the guzzle team. We will try again in 7 days. a month ago
Graham Campbell
21 days ago

Maintainer


No, we don't need CVEs from huntr.dev. We will have them issued by GitHub.

Graham Campbell
21 days ago

Maintainer


A fix is prepared for this vulnerability and another that I have discovered, looking over this code. We are going to get a review from a 3rd party, and then release the fixes along with 2 CVEs.

Jamie Slome
21 days ago

Admin


@grahamcampbell - no worries, I have removed the automatic CVE from this report, and all future approved reports.

Any reason you would prefer issuing them via GitHub instead of us taking care of it for you?

Regarding the fix, once you are ready, feel free to confirm the fix for both reports, and let me know what the CVE IDs are, and I can attach them to each relevant report for you 👍

We have sent a second fix follow up to the guzzle team. We will try again in 10 days. 19 days ago
Graham Campbell
17 days ago

Maintainer


We have been allocated CVE-2022-31042. This NOT yet public, at this time.

Please find below the draft description (@amammad and @jamieslome - please review this):

Impact

Cookie headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the Cookie header on. Prior to this fix, only cookies that were managed by our cookie middleware would be safely removed, and any Cookie header manually added to the initial request would not be stripped. We now always strip it, and allow the cookie middleware to re-add any cookies that it deems should be there.

Patches

Affected Guzzle 7 users should upgrade to Guzzle 7.4.4 as soon as possible. Affected users using any earlier series of Guzzle should upgrade to Guzzle 6.5.7 or 7.4.4.

Workarounds

An alternative approach would be to use your own retry middleware, rather than ours, if you are unable to upgrade.

References

RFC9110 Section 15.4

For more information

If you have any questions or comments about this advisory, please get in touch with us in #guzzle on the PHP HTTP Slack. Do not report additional security advisories in that public channel, however - please follow our vulnerability reporting process.

amammad
17 days ago

Researcher


Hey Graham, I think we are on the same page! Cheers!

Jamie Slome
17 days ago

Admin


@grahamcampbell - LGTM 👍

Are we able to add the huntr.dev report URL as a reference?

Graham Campbell confirmed that a fix has been merged on 724562 16 days ago
Graham Campbell has been awarded the fix bounty
ranjit-git
16 days ago

@admin @maintainer I submiited same report 4 months ago but maintainer rejected it https://huntr.dev/bounties/b8379541-566c-4cf2-bf81-633bde3de3da/ Can you plz check it

Graham Campbell
16 days ago

Maintainer


No, this is not the same issue. Your issue refers to a change in host, but this issue refers to a change in scheme.

ranjit-git
16 days ago

Change in host has more severity than change in scheme. Because When change in host happen then cookie is sent to totally different host. But when change in scheme happen then cookie is sent to same host but different scheme.

ranjit-git
16 days ago

@maintainer I see you already admitted in your previous comment that cookie should not be send to third party different host as cookie is sensitive information.

Cookie headers on requests are sensitive information. On making a request using the https scheme to a server which responds with a redirect to a URI with the http scheme, or on making a request to a server which responds with a redirect to a a URI to a different host, we should not forward the Cookie header on
ranjit-git
16 days ago

@mainatiner After reading this report carefully I see this report is exactly same as mine

ranjit-git
16 days ago

Bug reporter send this report as thirdparty host cookie leak and also maintioned two report url is mine . I see no difference between my original report this report

ranjit-git
16 days ago

Reporter submiited this bug here as change in host. And my report was same. Change in host has more severity than change in scheme here

to join this conversation