[bug] Hydra not retrieving cookies properly

[ghost]

When the remote server issues a cookie via "Set-Cookie", hydra replays all the output that follows the "Set-Cookie" header, instead of stopping at "\r\n". I can confirm this bug in hydra v8.1-dev and hydra v7.4.2. I've followed these steps to reproduce it:

My test.php has the following code:

<?php
header('Set-Cookie: mycookie=myvalue');
if(isset($_REQUEST['user']) && isset($_REQUEST['pass'])){
  if($_REQUEST['user'] == 'myuser' && $_REQUEST['pass'] == 'mypass')
    echo "Login successful!";
  else
    echo "<h1>Login incorrect</h1>";
}else
  echo "User and password are undefined.";

My users.txt file:

ander
cr0m
matriuX
myuser

And my pass.txt file:

matriX
ezekiel
abc
mypass

Hydra reports 8 valid passwords found, which is incorrect:

$ ./hydra 81.169.244.210 http-form-post "/test.php:user=^USER^&pass=^PASS^:incorrect" -L users.txt -P pass.txt -t 2 -w 30 -v
<output trimmed>
[80][www-form] host: 81.169.244.210   login: ander   password: matriX
[80][www-form] host: 81.169.244.210   login: ander   password: ezekiel
[80][www-form] host: 81.169.244.210   login: cr0m   password: matriX
[80][www-form] host: 81.169.244.210   login: cr0m   password: ezekiel
[80][www-form] host: 81.169.244.210   login: matriuX   password: matriX
[80][www-form] host: 81.169.244.210   login: matriuX   password: ezekiel
[80][www-form] host: 81.169.244.210   login: myuser   password: matriX
[80][www-form] host: 81.169.244.210   login: myuser   password: ezekiel
[STATUS] attack finished for 81.169.244.210 (waiting for children to complete tests)
1 of 1 target successfully completed, 8 valid passwords found

Wireshark traces (Right click --> Follow TCP Stream)
First GET request, which is supposed to retrieve the cookies:

GET /test.php HTTP/1.0
Host: 81.169.244.210
User-Agent: Mozilla/5.0 (Hydra)

HTTP/1.1 200 OK
Date: Tue, 29 Jul 2014 17:57:48 GMT
Server: BHS :D
Set-Cookie: mycookie=myvalue
Vary: Accept-Encoding
Content-Length: 32
Connection: close
Content-Type: text/html

User and password are undefined.

Subsequent POST requests (actual password cracking):

POST /test.php HTTP/1.0
Host: 81.169.244.210
User-Agent: Mozilla/5.0 (Hydra)
Content-Type: application/x-www-form-urlencoded
Content-Length: 23
Cookie: mycookie=myvalue
Vary: Accept-Encoding
Content-Length: 32
Connection: close
Content-Type: text/html

User and password are undefined.

user=ander&pass=ezekielHTTP/1.1 413 Request Entity Too Large
Date: Tue, 29 Jul 2014 17:57:48 GMT
Server: BHS :D
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/test.php<br />
does not allow request data with POST requests, or the amount of data provided in
the request exceeds the capacity limit.
</body></html>
User and password are undefined.

[ghost]

I'm working on a new feature for Hydra and I discovered this bug by chance. This new feature should be finished by tomorrow, so I'll fix this bug along with it.

[vanhauser-thc]

that would be great! thanks!