CVE-2020-7070 : What You Need to Know
Learn about CVE-2020-7070 where PHP versions 7.2.x, 7.3.x, and 7.4.x decode incoming HTTP cookie values, potentially allowing attackers to forge secure cookies. Find mitigation steps and updates here.
PHP parses encoded cookie names so malicious
__Host-Understanding CVE-2020-7070
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23, and 7.4.x below 7.4.11, a vulnerability exists where PHP decodes incoming HTTP cookie values, potentially allowing attackers to forge secure cookies.
What is CVE-2020-7070?
This CVE refers to a security issue in PHP versions 7.2.x, 7.3.x, and 7.4.x that could enable attackers to manipulate cookies by exploiting the way PHP processes incoming HTTP cookie values.
The Impact of CVE-2020-7070
The vulnerability could lead to the forging of cookies that are meant to be secure, potentially allowing attackers to impersonate users or gain unauthorized access.
Technical Details of CVE-2020-7070
Vulnerability Description
When PHP processes incoming HTTP cookie values, it decodes cookie names, which can result in confusion between cookies with prefixes like
__HostAffected Systems and Versions
- PHP versions 7.2.x below 7.2.34
- PHP versions 7.3.x below 7.3.23
- PHP versions 7.4.x below 7.4.11
Exploitation Mechanism
Attackers can exploit this vulnerability by sending specially crafted HTTP cookie values to the affected PHP versions, allowing them to create forged cookies.
Mitigation and Prevention
Immediate Steps to Take
- Update PHP to versions 7.2.34, 7.3.23, or 7.4.11 to mitigate the vulnerability.
- Monitor for any unauthorized access or suspicious activities related to cookie manipulation.
Long-Term Security Practices
- Regularly update PHP and other software components to address security vulnerabilities promptly.
- Implement secure coding practices to prevent similar input validation issues.
Patching and Updates
Apply patches provided by PHP Group to fix the vulnerability and enhance the security of PHP installations.