Source: cve@mitre.org
PHP treats unknown methods such as "PoSt" as a GET request, which could allow attackers to intended access restrictions if PHP is running on a server that passes on all methods, such as Apache httpd 2.0, as demonstrated using a Limit directive. NOTE: this issue has been disputed by the Apache security team, saying "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report.
PHP's handling of HTTP request methods allows attackers to bypass access controls by sending requests with malformed or unexpected methods (e.g., 'PoSt' instead of 'POST'). This vulnerability can lead to unauthorized access to sensitive data or functionality if the web server's configuration relies solely on HTTP method restrictions. While disputed by Apache, the underlying issue lies in PHP's permissive behavior and can be exploited in specific configurations.
Step 1: Target Identification: Identify a web server running PHP with potential access restrictions based on HTTP methods (e.g., POST for sensitive actions).
Step 2: Method Manipulation: Craft an HTTP request using an invalid or malformed method (e.g., 'PoSt', 'pOsT', 'poST') instead of the expected method (e.g., 'POST').
Step 3: Request Delivery: Send the crafted request to the vulnerable PHP script.
Step 4: PHP Processing: PHP receives the request and, due to its permissive nature, processes it as a GET request (or a similar fallback).
Step 5: Access Bypass: The PHP script executes the intended functionality, bypassing the intended method-based access restrictions configured on the web server (e.g., Apache's Limit directive).
Step 6: Unauthorized Access: The attacker gains access to the protected resource or functionality.
PHP's core design allows scripts to process any HTTP request method. The vulnerability stems from the interaction between PHP's permissive method handling and web server configurations (like Apache's Limit directive) that attempt to restrict access based on the HTTP method. If a web server is configured to pass all methods to PHP, and a PHP script doesn't explicitly validate the request method, an attacker can send a request with an invalid method (e.g., 'PoSt'). PHP will then treat this invalid method as a GET request. This bypasses any access control rules implemented at the web server level that are based on the intended method (e.g., POST for data submission). The root cause is a lack of strict method validation within PHP scripts and a reliance on server-side configurations that are insufficient to enforce method-based access control in all scenarios. The issue is not a specific code flaw, but rather a design decision that can lead to unexpected behavior when combined with certain server configurations.
While no specific APTs or malware are directly associated with this vulnerability, it could be leveraged by attackers targeting poorly configured web applications. The vulnerability itself is not listed on the CISA KEV catalog.
Analyze web server logs for requests with unexpected or malformed HTTP methods (e.g., 'PoSt', 'pOsT').
Inspect PHP script code for explicit validation of the HTTP request method (e.g., using $_SERVER['REQUEST_METHOD']).
Monitor network traffic for unusual HTTP requests that deviate from expected patterns.
Use a web application firewall (WAF) to block requests with invalid HTTP methods.
Implement robust input validation within PHP scripts to explicitly check the HTTP request method using $_SERVER['REQUEST_METHOD'] and reject unexpected methods.
Avoid relying solely on web server configuration (e.g., Apache's Limit directive) for method-based access control. Implement access control logic within the PHP script itself.
Use a web application firewall (WAF) to filter out requests with invalid or unexpected HTTP methods.
Regularly review and update PHP scripts and web server configurations to address potential vulnerabilities.
Implement a defense-in-depth approach, combining server-side and application-level security measures.