This can be exploited by malicious or compromised websites to facilitate a cross-site request forgery (CSRF) attack to take control of the affected website.
In the case of PHP versions 7.4.31, 8.0.24 and 8.1.11, an attacker can exploit the vulnerability to set an insecure cookie which will be handled as `__Host-` by all PHP applications if the victim visits another website using the same web server software. After the victim visits the malicious website, the attacker's website can send a request to the victim's website, which will be handled by the vulnerable code. This can result in the attacker's website being displayed instead of the victim's website.
CVE-2019-1556: PHP Cookie Issue (HIG-SSL-COOKIE-CVE) - It has been reported that in PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability allows remote attackers to set an insecure cookie which will be treated as `__Host-` or `__Secure-` by all PHP applications if the victim visits another website using the same web server software. After the victim visits the malicious website, the attacker's website can send a request to the victim's website, which will be handled by the vulnerable code. This can result in the attacker's website being displayed instead of the victim's website. - It has been reported that in PHP versions before 7.4.
Vulnerability Scenario
The vulnerability can be exploited by malicious or compromised websites to facilitate a cross-site request forgery (CSRF) attack.
In the case of PHP versions 7.4.31, 8.0.24 and 8.1.11, an attacker can exploit the vulnerability to set an insecure cookie which will be handled as `__Host-` by all PHP applications if the victim visits another website using the same web server software. After the victim visits the malicious website, the attacker's website can send a request to the victim's website, which will be handled by the vulnerable code. This can result in the attacker's website being displayed instead of the victim's website.
Vulnerability Summary
A vulnerability in the PHP software can be exploited by malicious or compromised websites to facilitate a cross-site request forgery (CSRF) attack to take control of the affected website.
Vulnerability Explained
A cross-site request forgery (CSRF) vulnerability exists in PHP versions before 7.4.31, 8.0.24 and 8.1.11 that makes it easier for attackers to steal a website’s session cookie and use it on other websites or apps to perform malicious actions. In the case of PHP versions 7.4.31, 8.0.24 and 8.1.11, an attacker can exploit the vulnerability to set an insecure cookie which will be handled as `__Host-` by all PHP applications if the victim visits another website using the same web server software.
Description
The following is a description of the vulnerability:
- CVE-2019-1556 - PHP Cookie Issue (HIG-SSL-COOKIE-CVE)
This can be exploited by malicious or compromised websites to facilitate a cross-site request forgery (CSRF) attack to take control of the affected website.
Timeline
Published on: 09/28/2022 23:15:00 UTC
Last modified on: 11/22/2022 06:15:00 UTC
References
- https://bugs.php.net/bug.php?id=81727
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XNIEABBH5XCXLFWWZYIDE457SPEDZTXV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VI3E6A3ZTH2RP7OMLJHSVFIEQBIFM6RF/
- https://www.debian.org/security/2022/dsa-5277
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2L5SUVYGAKSWODUQPZFBUB3AL6E6CSEV/
- https://security.gentoo.org/glsa/202211-03
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31629