CVE-2020-7070 Overview
CVE-2020-7070 is a cookie prefix confusion vulnerability in PHP that affects how HTTP cookie values are processed. When PHP receives incoming HTTP cookie values, cookie names undergo URL-decoding, which can lead to security cookie prefix confusion. This enables attackers to forge cookies that are supposed to be secure by exploiting the decoding behavior, potentially bypassing security mechanisms designed to protect cookies with special prefixes like __Host and __Secure.
Critical Impact
Attackers can forge supposedly secure cookies by exploiting URL-decoding behavior, potentially bypassing cookie security mechanisms and impersonating legitimate secure cookie prefixes.
Affected Products
- PHP versions 7.2.x below 7.2.34
- PHP versions 7.3.x below 7.3.23
- PHP versions 7.4.x below 7.4.11
- Fedora 31, 32, 33
- Debian Linux 9.0, 10.0
- openSUSE Leap 15.1, 15.2
- Ubuntu Linux 12.04, 14.04 ESM, 16.04 LTS, 18.04 LTS, 20.04 LTS
- NetApp Clustered Data ONTAP
- Tenable Tenable.sc
Discovery Timeline
- 2020-10-02 - CVE-2020-7070 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-7070
Vulnerability Analysis
This vulnerability stems from PHP's handling of HTTP cookie names during request processing. Cookie prefixes such as __Host- and __Secure- are security mechanisms defined in RFC 6265bis that provide enhanced cookie security guarantees. The __Host- prefix requires that cookies be sent only over HTTPS, cannot include a Domain attribute, and must have Path set to /. The __Secure- prefix requires HTTPS transmission.
The flaw occurs because PHP URL-decodes cookie names before processing them. An attacker can craft a cookie with an encoded name (e.g., %5F%5FHost- which decodes to __Host-) that bypasses frontend security checks but gets decoded by PHP to match the protected prefix pattern. This creates a mismatch between how different layers of the web stack interpret cookie names, enabling cookie forgery attacks.
This vulnerability is related to CVE-2020-8184, which addresses a similar issue in the Rack framework for Ruby applications, indicating this is a cross-platform concern in web application security.
Root Cause
The root cause lies in improper input validation (CWE-20) and reliance on cookies without validation and integrity checking (CWE-565). PHP performs URL-decoding on cookie names as part of its request parsing logic, but security checks for cookie prefixes may occur before this decoding step in upstream components like web servers or reverse proxies. This inconsistent decoding sequence allows attackers to bypass cookie prefix security mechanisms by submitting URL-encoded cookie names that decode to protected prefixes after passing through initial security checks.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by sending malicious HTTP requests containing cookies with URL-encoded names that decode to security-sensitive prefixes. For example:
- The attacker crafts a cookie with a URL-encoded name like %5F%5FHost-session (which decodes to __Host-session)
- Upstream security components (load balancers, WAFs) may not recognize this as a protected cookie name
- PHP decodes the cookie name during request processing
- The application treats the cookie as if it has the __Host- security prefix
- This allows the attacker to forge cookies that should only be settable under strict security conditions
The attack enables an adversary to potentially bypass authentication mechanisms, session management controls, or other security features that rely on cookie prefix protections.
Detection Methods for CVE-2020-7070
Indicators of Compromise
- Presence of URL-encoded cookie names in HTTP request logs (e.g., %5F%5F patterns that decode to underscores)
- Unexpected cookie values for __Host- or __Secure- prefixed cookies
- Session anomalies or authentication bypasses without corresponding legitimate user activity
- HTTP requests containing cookies with encoded special characters in cookie names
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block cookies with URL-encoded prefixes that could decode to __Host- or __Secure-
- Monitor PHP application logs for unusual session behavior or authentication anomalies
- Deploy network intrusion detection signatures to identify HTTP requests with suspiciously encoded cookie names
- Perform regular security scanning to identify vulnerable PHP versions in your infrastructure
Monitoring Recommendations
- Enable detailed HTTP request logging including full cookie headers to capture potential exploitation attempts
- Configure alerting for authentication or session-related errors that may indicate cookie forgery attempts
- Monitor for PHP version information in your asset inventory to ensure vulnerable installations are identified
- Review web server access logs for patterns of encoded cookie names in incoming requests
How to Mitigate CVE-2020-7070
Immediate Actions Required
- Upgrade PHP to version 7.2.34 or later, 7.3.23 or later, or 7.4.11 or later immediately
- Review and apply security patches from your Linux distribution vendor (Debian, Ubuntu, Fedora, openSUSE)
- Audit applications for reliance on cookie prefix security mechanisms and implement additional validation
- Deploy WAF rules to block requests with URL-encoded cookie name prefixes as a defense-in-depth measure
Patch Information
PHP has released patched versions that address this cookie prefix confusion vulnerability. Organizations should upgrade to the following minimum versions:
- PHP 7.2.34 or later for the 7.2.x branch
- PHP 7.3.23 or later for the 7.3.x branch
- PHP 7.4.11 or later for the 7.4.x branch
For additional details, refer to the PHP Bug Report #79699 and the original HackerOne Report #895727.
Distribution-specific patches are available from:
Workarounds
- Implement application-level validation of cookie names before processing, rejecting any cookies with URL-encoded characters in names
- Configure web servers or reverse proxies to normalize cookie names before passing requests to PHP
- Deploy WAF rules that decode and inspect cookie names for protected prefixes before allowing requests through
- Consider implementing additional session validation mechanisms that do not rely solely on cookie prefix security
# Example: Apache mod_rewrite rule to block URL-encoded cookie prefixes
# Add to your Apache configuration or .htaccess file
RewriteEngine On
RewriteCond %{HTTP_COOKIE} %5F%5F(Host|Secure)- [NC]
RewriteRule .* - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
