Drupal rolls out update for issue that is contingent on cookie middleware being enabled

Patch released for cross-domain cookie leakage flaw in Guzzle

UPDATED The maintainers of Guzzle, the hugely popular HTTP client for PHP applications, have addressed a high severity vulnerability leading to cross-domain cookie leakage.

Drupal, the open source content management system (CMS), is among the applications that use the third-party library and has released software updates addressing the issue.

The flaw resides in Guzzle’s cookie middleware, which is disabled by default, “so most library consumers will not be affected by this issue”, reads a GitHub security advisory published by a Guzzle maintainer on Wednesday (May 25).

The cookies crumble

Tracked as CVE-2022-29248, the bug centers on a failure to check if the cookie domain equals the domain of the server which sets the cookie via the Set-Cookie header. This would allow “a malicious server to set cookies for unrelated domains”, continues the advisory.

“For example, an attacker at www.example.com might set a session cookie for api.example.net, logging the Guzzle client into their account and retrieving private API requests from the security log of their account.”

Catch up on the latest PHP security news

Guzzle, a PSR-7-compatible library, has been installed around 400 million times.

“Most Laravel applications will be using Guzzle, for example,” Graham Campbell, who published the GitHub advisory, told The Daily Swig. It is also used by Adobe’s e-commerce platform, Magento.

“Anyone using the AWS PHP SDK will also be using Guzzle, although it should be noted that this vulnerability does not affect AWS SDK users, since that cookie middleware is not enabled,” said Campbell.

Only users that “manually add the cookie middleware to the handler stack or construct the client with ['cookies' => true] are affected”, explained the advisory. They must also use the same Guzzle client to call multiple domains and have redirect forwarding enabled to be vulnerable.

Guzzle maintainers have fixed the flaw in versions 6.5.6 and 7.4.3, and advised users to ensure cookie middleware is disabled unless cookie support is required.

Drupal updates

In a security advisory issued on the same day as its Guzzle counterpart, Drupal said the Guzzle vulnerability “does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites”.

The issue has been patched in Drupal versions 9.3.14 and 9.2.20, with previous Drupal 9 versions no longer supported. Drupal 7 is not affected by the flaw.

Drupal classified the bug as ‘moderately critical’ on its own severity scale, assigning a score of 13 out of 25.

The vulnerability was disclosed by ‘myxl’, who published a proof of concept on huntr.

This article was updated on May 30 with additional comment and details about Guzzle

RECOMMENDED Security ‘researcher’ hits back against claims of malicious CTX file uploads