Set cookie for different domain in guzzle/guzzle
Reported on
May 9th 2022
Description
It is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header.
Proof of Concept
<?php
require "vendor/autoload.php";
$client = new \GuzzleHttp\Client(["cookies" => true]);
$client->request("GET", "https://<id>.free.beeceptor.com/setcookie");
$cookies = $client->getConfig('cookies')->toArray();
print_r($cookies);
?>
You can use beeceptor to mock the endpoint, just add the following header to the response:
"Set-Cookie": "poc=1; Domain=huntr.dev"
Also works with .com
as domain, this would send the cookie to all .com domains.
Impact
The vulnerability is capable of stealing sessions if the right conditions are met.
Occurrences
References
Thanks for reporting this. We will co-ordinate with stakeholders and provide an update within 10 working days.
We are aware of this issue, and we will prepare a fix next week.
We have a fix in progress. We will provide another update on Monday.
We have a proposed fix in place. We are sending it for 3rd party review. We expect to be able to release a fix before the end of May.
We have just released v6.5.6 and v7.4.3 and published the advisory. This is now fixed, and the embargo is lifted.