Summary
Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.
Details
The vulnerability is identical to one previously described in https://bugs.php.net/bug.php?id=81727. Unfortunatly, since CVE-2022-31629 got only partially fixed in PHP >8.1.11, cookies starting with _[Host- are parsed by PHP applications as __Host-. Notice that I reported this vulnerability multiple times via email after the fix for CVE-2022-31629 landed (I am the original reporter of that CVE), but I guess that the message got lost.
PoC
$ echo '<?php echo(json_encode($_COOKIE)); ?>' > x
$ docker run -p 8080:8080 --rm -v $(pwd):$(pwd) php:latest php -S 0.0.0.0:8080 $(pwd)/x
$ curl -b '_[Host-x=y' localhost:8080/x
{"__Host-x":"y"}
lavish Reporter
Summary
Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a
__Host-or__Secure-cookie by PHP applications.Details
The vulnerability is identical to one previously described in https://bugs.php.net/bug.php?id=81727. Unfortunatly, since CVE-2022-31629 got only partially fixed in PHP >8.1.11, cookies starting with
_[Host-are parsed by PHP applications as__Host-. Notice that I reported this vulnerability multiple times via email after the fix for CVE-2022-31629 landed (I am the original reporter of that CVE), but I guess that the message got lost.PoC