Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
1. A cookie is set using the `secure` keyword for `https://target`2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set3. The same cookie name is set - but with just a slash as path (`path='/'`). Since this site is not secure, the cookie *should* just be ignored.4. A bug in the path comparison logic makes curl read outside a heap buffer boundaryThe bug either causes a crash or it potentially makes the comparison come tothe wrong conclusion and lets the clear-text site override the contents of thesecure cookie, contrary to expectations and depending on the memory contentsimmediately following the single-byte allocation that holds the path.The presumed and correct behavior would be to plainly ignore the second set ofthe cookie since it was already set as secure on a secure host so overridingit on an insecure host should not be okay.
No PoCs from references.
- https://github.com/8-cm/kube-dump
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/fkie-cad/nvd-json-data-feeds