CVE-2020-7070 in PHP
Summary
by MITRE • 10/04/2020
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/16/2020
The vulnerability identified as CVE-2020-7070 represents a critical security flaw in PHP's cookie handling mechanism that affects multiple versions within the 7.2.x, 7.3.x, and 7.4.x release lines. This issue stems from the improper handling of URL-encoded cookie names during HTTP request processing, creating a potential pathway for attackers to manipulate cookie security properties. The flaw specifically manifests when PHP processes incoming HTTP cookies, where the system performs URL decoding on cookie names, leading to unexpected behavior in cookie validation logic. This vulnerability is particularly concerning because it directly impacts the security model that PHP employs for handling cookies with specific prefixes such as __Host, which are designed to enforce strict security requirements including secure flag enforcement and domain restrictions. The improper URL decoding process creates a scenario where an attacker can craft malicious cookie values that, when decoded, appear to match the security-sensitive cookie name patterns, thereby bypassing intended security controls.
The technical implementation of this vulnerability involves PHP's internal cookie parsing logic where cookie names undergo URL decoding before being validated against security prefixes. When an attacker sends a cookie with a URL-encoded name such as %5f%5f%48%6f%73%74 (which decodes to __Host), the system processes this as a legitimate security-sensitive cookie name even though the original encoded form was not intended to be treated as such. This creates a mismatch between the expected security behavior and the actual implementation, allowing attackers to forge cookies that should be restricted to secure contexts. The vulnerability is classified under CWE-284, which deals with inadequate access control, and specifically relates to improper handling of security-sensitive cookie attributes. The flaw operates at the application layer, affecting web applications that rely on PHP's built-in cookie management functions and can be exploited through HTTP request manipulation without requiring any special privileges or authentication.
The operational impact of CVE-2020-7070 extends beyond simple cookie manipulation to potentially compromise the entire session management system of affected applications. Attackers can exploit this vulnerability to forge secure cookies that bypass the intended security restrictions, potentially leading to session hijacking, privilege escalation, or unauthorized access to protected resources. The vulnerability is particularly dangerous in applications that implement strict cookie security policies, such as those using __Host, __Secure, or similar prefixed cookies to enforce secure communication requirements. When combined with other vulnerabilities like CVE-2020-8184, which addresses related cookie handling issues, attackers can create more sophisticated exploitation scenarios that completely undermine the cookie security model. This vulnerability affects the fundamental trust model of web applications that depend on PHP's cookie handling, potentially allowing attackers to bypass authentication mechanisms and gain unauthorized access to sensitive application features. The impact is especially severe for applications implementing security-sensitive cookie patterns that are designed to prevent cross-site scripting attacks and session fixation vulnerabilities.
Mitigation strategies for CVE-2020-7070 primarily involve upgrading to patched versions of PHP where the cookie handling logic has been corrected to prevent URL decoding of cookie names during security validation. Organizations should immediately update their PHP installations to versions 7.2.34, 7.3.23, or 7.4.11 and later, as these releases contain the necessary fixes for the cookie parsing behavior. Additionally, application-level defenses can include implementing custom cookie validation logic that explicitly checks for URL-encoded cookie names and rejects suspicious patterns before they reach PHP's internal cookie processing. Security teams should also review existing cookie handling code to identify any custom implementations that might be vulnerable to similar URL decoding issues. The mitigation approach aligns with ATT&CK technique T1548.002, which involves bypassing security controls through application-level manipulation, and follows the principle of least privilege by ensuring that cookie validation logic properly enforces security boundaries. Organizations should conduct thorough testing of their cookie handling mechanisms after applying patches to ensure that legitimate functionality remains intact while the vulnerability is properly addressed. Regular security assessments and monitoring of cookie-related activities can help detect potential exploitation attempts and provide early warning of any attempts to leverage this vulnerability.