プラットフォーム
php
コンポーネント
php
修正版
7.2.34
7.3.23
7.4.11
CVE-2020-7070 is a vulnerability in PHP affecting versions 7.2.x below 7.2.34, 7.3.x below 7.3.23, and 7.4.x below 7.4.11. This vulnerability arises from improper handling of HTTP cookie names during URL decoding, enabling attackers to potentially forge secure cookies. The vulnerability was published on October 2, 2020, and a fix is available in PHP 7.4.11.
An attacker can exploit CVE-2020-7070 to forge secure cookies by manipulating the URL decoding process of HTTP cookie names. Specifically, they can craft cookie names that, after decoding, resemble reserved prefixes like '__Host', which are typically used for cookies intended to be accessible across subdomains. This allows an attacker to inject malicious cookies that appear legitimate, potentially leading to session hijacking and unauthorized access to sensitive data. The impact is particularly severe for applications relying on secure cookies for authentication and authorization, as an attacker could impersonate legitimate users.
CVE-2020-7070 is related to CVE-2020-8184, which addresses a similar cookie handling issue. While no public exploits have been widely reported, the potential for session hijacking makes this a concerning vulnerability. The vulnerability was disclosed publicly on October 2, 2020. It is not currently listed on the CISA KEV catalog.
Applications using PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23, and 7.4.x below 7.4.11 are at risk. This includes web applications relying on secure cookies for authentication, authorization, or session management. Shared hosting environments where users have limited control over the PHP version are particularly vulnerable.
• php: Check PHP version using php -v. If the version is affected (≤7.4.11), investigate further.
• generic web: Examine access logs for unusual cookie names or patterns that might indicate attempted exploitation. Look for cookies with prefixes like '__Host' that are not expected.
• generic web: Use curl to test cookie setting and retrieval with manipulated names to see if the application is vulnerable.
curl -v -b 'test=1; __Host=malicious' http://your-php-applicationdisclosure
エクスプロイト状況
EPSS
26.09% (96% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2020-7070 is to upgrade to a patched version of PHP. Upgrade to PHP 7.4.11 or later to resolve this vulnerability. If upgrading is not immediately feasible, consider implementing stricter cookie validation on the application side to prevent the acceptance of cookies with unexpected prefixes. Web application firewalls (WAFs) can also be configured to filter out requests containing suspicious cookie names. After upgrading, verify the fix by attempting to set a cookie with a manipulated name and confirming that it is rejected.
PHPをバージョン7.2.34、7.3.23、または7.4.11以降にアップデートして、この脆弱性を修正してください。これにより、Cookie名が安全でない方法でデコードされるのを防ぎ、Cookieの偽造を防ぐことができます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2020-7070 is a vulnerability in PHP versions 7.2.x, 7.3.x, and 7.4.x where improper URL decoding of HTTP cookies allows attackers to forge secure cookies, potentially hijacking user sessions.
You are affected if you are using PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23, or 7.4.x below 7.4.11. Upgrade to a patched version to mitigate the risk.
Upgrade to PHP 7.4.11 or later. If immediate upgrade is not possible, implement stricter cookie validation on the application side and consider using a WAF.
While no widespread exploitation has been publicly reported, the potential for session hijacking makes this a concerning vulnerability. Continuous monitoring is recommended.
Refer to the official PHP security advisory at https://security.php.net/advisory/7.2.34