PHP with Apache Mixed Case Method Limit Directive Bypass

2003-06-25T18:25:14
ID OSVDB:28130
Type osvdb
Reporter OSVDB
Modified 2003-06-25T18:25:14

Description

Vulnerability Description

PHP as implemented in the Apache Web Server has been reported to contain a flaw that may allow a remote attacker to bypass restrictions. The issue is reportedly due to Apache not properly handling a mixed case method request (such as 'Post' instead of 'POST'), letting an attacker bypass the Limit Directive. The Apache Foundation has replied stating this is intended behavior and not a vulnerability: "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report."

Short Description

PHP as implemented in the Apache Web Server has been reported to contain a flaw that may allow a remote attacker to bypass restrictions. The issue is reportedly due to Apache not properly handling a mixed case method request (such as 'Post' instead of 'POST'), letting an attacker bypass the Limit Directive. The Apache Foundation has replied stating this is intended behavior and not a vulnerability: "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report."

References:

Other Advisory URL: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=97 CVE-2003-0249