Description
** DISPUTED ** PHP treats unknown methods such as "PoSt" as a GET request, which could allow attackers to intended access restrictions if PHP is running on a server that passes on all methods, such as Apache httpd 2.0, as demonstrated using a Limit directive. NOTE: this issue has been disputed by the Apache security team, saying "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report."
Remediation
References
Related Vulnerabilities
WordPress Plugin Ultimate Addons for Visual Composer Multiple Vulnerabilities (3.16.10)
Chamilo Improper Input Validation Vulnerability (CVE-2012-4030)
WordPress Plugin Error Log Monitor Security Bypass (1.6.4)
MODX Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-8775)
Lighttpd Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2008-4360)