Impact
In ReactPHP's HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host-
and __Secure-
confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information.
Patches
Workarounds
Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected Cookie
request headers.
References
Credits
- Thanks to Marco Squarcina (TU Wien) for reporting this and working with us to coordinate this security advisory
For more information
If you have any questions or comments about this advisory:
Impact
In ReactPHP's HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like
__Host-
and__Secure-
confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information.Patches
v1.7.0
Workarounds
Infrastructure or DevOps can place a reverse proxy in front of the ReactPHP HTTP server to filter out any unexpected
Cookie
request headers.References
Credits
For more information
If you have any questions or comments about this advisory: