Platform
php
Component
php
Opgelost in
7.2.34
7.3.23
7.4.11
CVE-2020-7070 is a vulnerability in PHP affecting versions 7.2.x below 7.2.34, 7.3.x below 7.3.23, and 7.4.x below 7.4.11. This vulnerability arises from improper handling of HTTP cookie names during URL decoding, enabling attackers to potentially forge secure cookies. The vulnerability was published on October 2, 2020, and a fix is available in PHP 7.4.11.
An attacker can exploit CVE-2020-7070 to forge secure cookies by manipulating the URL decoding process of HTTP cookie names. Specifically, they can craft cookie names that, after decoding, resemble reserved prefixes like '__Host', which are typically used for cookies intended to be accessible across subdomains. This allows an attacker to inject malicious cookies that appear legitimate, potentially leading to session hijacking and unauthorized access to sensitive data. The impact is particularly severe for applications relying on secure cookies for authentication and authorization, as an attacker could impersonate legitimate users.
CVE-2020-7070 is related to CVE-2020-8184, which addresses a similar cookie handling issue. While no public exploits have been widely reported, the potential for session hijacking makes this a concerning vulnerability. The vulnerability was disclosed publicly on October 2, 2020. It is not currently listed on the CISA KEV catalog.
Applications using PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23, and 7.4.x below 7.4.11 are at risk. This includes web applications relying on secure cookies for authentication, authorization, or session management. Shared hosting environments where users have limited control over the PHP version are particularly vulnerable.
• php: Check PHP version using php -v. If the version is affected (≤7.4.11), investigate further.
• generic web: Examine access logs for unusual cookie names or patterns that might indicate attempted exploitation. Look for cookies with prefixes like '__Host' that are not expected.
• generic web: Use curl to test cookie setting and retrieval with manipulated names to see if the application is vulnerable.
curl -v -b 'test=1; __Host=malicious' http://your-php-applicationdisclosure
Exploit Status
EPSS
26.09% (96% percentiel)
CVSS-vector
The primary mitigation for CVE-2020-7070 is to upgrade to a patched version of PHP. Upgrade to PHP 7.4.11 or later to resolve this vulnerability. If upgrading is not immediately feasible, consider implementing stricter cookie validation on the application side to prevent the acceptance of cookies with unexpected prefixes. Web application firewalls (WAFs) can also be configured to filter out requests containing suspicious cookie names. After upgrading, verify the fix by attempting to set a cookie with a manipulated name and confirming that it is rejected.
Actualice a la versión 7.2.34, 7.3.23 o 7.4.11 de PHP, o a una versión posterior, para corregir la vulnerabilidad. Esto evitará que los nombres de las cookies se decodifiquen de forma insegura, previniendo la falsificación de cookies.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2020-7070 is a vulnerability in PHP versions 7.2.x, 7.3.x, and 7.4.x where improper URL decoding of HTTP cookies allows attackers to forge secure cookies, potentially hijacking user sessions.
You are affected if you are using PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23, or 7.4.x below 7.4.11. Upgrade to a patched version to mitigate the risk.
Upgrade to PHP 7.4.11 or later. If immediate upgrade is not possible, implement stricter cookie validation on the application side and consider using a WAF.
While no widespread exploitation has been publicly reported, the potential for session hijacking makes this a concerning vulnerability. Continuous monitoring is recommended.
Refer to the official PHP security advisory at https://security.php.net/advisory/7.2.34
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.