In this post, we will discuss a concerning vulnerability in PHP applications, which has been identified as CVE-2024-2756. Due to an incomplete fix of a previous vulnerability, CVE-2022-31629 (found here: https://github.com/advisories/GHSA-c43m-486j-j32p), network and same-site attackers can set a standard insecure cookie in a victim's browser. This insecure cookie is then treated as a __Host- or __Secure- cookie by PHP applications, thus allowing potential exploitation.

Background

In order to understand the significance of CVE-2024-2756, let us first briefly discuss the original vulnerability: CVE-2022-31629. This vulnerability allowed remote attackers to bypass the Cookie Prefix protection mechanism. Cookie Prefix is a security feature implemented in browsers that require cookies with certain prefixes (__Host- and __Secure-) to have specific attributes, such as being secure and having a restricted path. The intention of this feature is to prevent attackers from setting or overwriting these cookies, thus providing an additional layer of security.

However, CVE-2022-31629 allowed attackers to bypass this protection by setting an insecure cookie and having it treated as a secure cookie, simply by exploiting a flaw in the browser's implementation of the Cookie Prefix mechanism. This issue was supposed to be resolved, but as we will see, the fix was incomplete and has led to the discovery of CVE-2024-2756.

Exploit Details

CVE-2024-2756 occurs due to an incomplete fix of the previous vulnerability, allowing network and same-site attackers to once again set insecure cookies that are treated as __Host- or __Secure- cookies by PHP applications. An attacker can exploit this by first setting an insecure cookie in the victim's browser with a standard PHP call:

setcookie("insecure-cookie", "test-value");

This seemingly harmless action by an attacker would typically not be a major security concern. However, the incomplete fix for the previous vulnerability (CVE-2022-31629) allows the insecure cookie to bypass the Cookie Prefix protection mechanism in PHP applications. This results in the insecure cookie being treated as a __Host- or __Secure- cookie, which drastically increases the potential for unauthorized access to sensitive information and session hijacking.

Mitigations and Recommendations

The best mitigation for this vulnerability is to ensure your PHP applications are running the latest patched versions. The developers of PHP have acknowledged this issue, and it is expected that an official patch will be released soon. In the meantime, developers may consider implementing their own workarounds, such as:

- Manually enforcing cookie security by keeping track of and validating __Host- and __Secure- cookies in their application code.

Conclusion

CVE-2024-2756 highlights the importance of thorough vulnerability patching and the potential consequences of incomplete fixes. This vulnerability exposes PHP applications to potential exploits that could allow unauthorized access to sensitive data and resources. By staying updated on the latest security developments and ensuring the proper mitigations are in place, developers can minimize the risks posed by such vulnerabilities and protect their applications.

Timeline

Published on: 04/29/2024 04:15:07 UTC
Last modified on: 05/08/2024 01:15:06 UTC