PHP treats unknown methods such as "PoSt" as a GET request, which could allow attackers to intended access restrictions if PHP is running on a server that passes on all methods, such as Apache httpd 2.0, as demonstrated using a Limit directive. NOTE: this issue has been disputed by the Apache security team, saying "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report.
PHP's handling of HTTP request methods is flawed, allowing attackers to bypass access controls by sending requests with malformed or unexpected methods. This vulnerability can lead to unauthorized access to sensitive resources if the web server configuration relies solely on HTTP method restrictions. While disputed by Apache, the issue highlights a potential misconfiguration risk where PHP scripts don't properly validate request methods.
Step 1: Identify Target: The attacker identifies a web server running PHP and potentially vulnerable to method-based access control bypass. Step 2: Craft Malformed Request: The attacker crafts an HTTP request using an invalid or unexpected method (e.g., 'PoSt', 'GETX', or a custom method). The request targets a resource that is intended to be protected by method restrictions. Step 3: Request Processing: The web server (e.g., Apache) receives the request and, due to its configuration, passes it to the PHP interpreter. Step 4: PHP Interpretation: PHP, by default, treats the unknown method as a GET request. Step 5: Access Granted (Potentially): If the PHP script doesn't explicitly validate the HTTP method, it processes the request as a GET request, potentially bypassing intended access restrictions and granting unauthorized access to the resource.
The root cause lies in PHP's default behavior of treating unknown HTTP methods as GET requests. This is not a vulnerability in PHP itself, but rather a potential misconfiguration risk when combined with web server configurations that pass all request methods to PHP. The flaw stems from the assumption that the web server (e.g., Apache) can enforce access control based on HTTP methods. If the server is configured to pass all methods to PHP and the PHP script doesn't explicitly validate the method, an attacker can bypass method-based access restrictions. The core issue is a lack of input validation and method enforcement within the PHP script itself, leading to a logical flaw in access control.