php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #10519 $HTTP_COOKIE_VARS spoofing
Submitted: 2001-04-26 21:35 UTC Modified: 2010-11-24 09:33 UTC
From: stuff at cheesygames dot net Assigned: jani (profile)
Status: Closed Package: *General Issues
PHP Version: 4.0.4pl1 OS: Win98
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2001-04-26 21:35 UTC] stuff at cheesygames dot net 
<?
   setCookie('cookie[one]','one');
   setCookie('cookie[two]','two');

   print_r($HTTP_COOKIE_VARS);
?>

If you access this page with the command line arguement 

?cookie[three]=three 

print_r will show cookie[three] in $HTTP_COOKIE_VARS.

Just a bit of incongrous material, but for some sites could cause problems if cookies are spoofed thusly.

Regards

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-04-29 13:23 UTC] bbonev@php.net 
think about cookies the same way as GET data or POST data - they are at the same level and can be spoofed very easy with a cURL client for example. one can tell his client what cookie with what value to pass for a given request

the issue here is not security but programmers comfort. but when one uses the short representations of variables she must be aware of the GPC order setting.

i think this is the same like overriding a post variable with a get one.

do you think this bug shall be closed?
 [2001-04-29 16:34 UTC] bbonev@php.net 
indeed i have missed one of the points - the fact that when passing data in the array form, all the values combine in a single array. further testing showed that the cookies also appear in HTTP_GET_VARS. i am sure that if there is a post to an url with a get var and some cookies (all varnames in array form) HTTP_*_ARRAY will contain all the values.

this issue is a serious concern about the --enable-track-vars code. it must be resolved by overwriting the whole arrays, not adding data to them in order to be consistent

e.g.

get var: myarr[one]=1
post var: myarr[two]=2
cookie var: myarr[three]=3

gpc order is GPC

the global array $myarr has only the 'one' key

the HTTP_*_VARS have only the proper arrays
 [2001-08-31 12:10 UTC] sander@php.net 
Not a bug (as stated by bbonev). Making it a feature/change request.
 [2010-11-24 09:33 UTC] jani@php.net
-Status: Open +Status: Closed -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: jani
 [2010-11-24 09:33 UTC] jani@php.net 
This is handled by variables_order. Since some PHP 5.x it has not been possible to spoof $_COOKIE, AFAIK.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 02:01:29 2024 UTC