Set cookie for different domain in guzzle/guzzle

Valid

Reported on

May 9th 2022


Description

It is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header.

Proof of Concept

<?php
require "vendor/autoload.php";
$client = new \GuzzleHttp\Client(["cookies" => true]);
$client->request("GET", "https://<id>.free.beeceptor.com/setcookie");
$cookies = $client->getConfig('cookies')->toArray();
print_r($cookies);
?>

You can use beeceptor to mock the endpoint, just add the following header to the response: "Set-Cookie": "poc=1; Domain=huntr.dev"

Also works with .com as domain, this would send the cookie to all .com domains.

Impact

The vulnerability is capable of stealing sessions if the right conditions are met.

We are processing your report and will contact the guzzle team within 24 hours. 2 months ago
We have contacted a member of the guzzle team and are waiting to hear back 2 months ago
Graham Campbell validated this vulnerability 2 months ago

Thanks for reporting this. We will co-ordinate with stakeholders and provide an update within 10 working days.

myxl has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the guzzle team. We will try again in 7 days. a month ago
Graham Campbell
a month ago

Maintainer


We are aware of this issue, and we will prepare a fix next week.

We have sent a second fix follow up to the guzzle team. We will try again in 10 days. a month ago
Graham Campbell
a month ago

Maintainer


We have a fix in progress. We will provide another update on Monday.

Graham Campbell
a month ago

Maintainer


We have a proposed fix in place. We are sending it for 3rd party review. We expect to be able to release a fix before the end of May.

Graham Campbell
a month ago

Maintainer


We have been allocated CVE-2022-29248.

Graham Campbell
a month ago

Maintainer


We have just released v6.5.6 and v7.4.3 and published the advisory. This is now fixed, and the embargo is lifted.

Graham Campbell confirmed that a fix has been merged on 74a860 a month ago
Graham Campbell has been awarded the fix bounty
CookieJar.php#L160-L218 has been validated
to join this conversation