漏洞标题
N/A
漏洞描述信息
**争议**
PHP将未知方法(如"PoSt")视为GET请求,如果PHP运行在会传递所有方法的服务器上,例如Apache httpd 2.0,则可能会允许攻击者绕过预期的访问限制,此现象通过使用Limit指令进行了演示。注意:Apache安全团队对这个问题表示了争议,他们说:“PHP的设计是允许脚本处理任何请求方法。因此,一个没有明确验证请求方法的脚本将被视为随机方法的处理正常。因此,预期行为是,我们不能单独使用Apache配置来实现每个方法的访问控制,这是本报告的假设。”
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
PHP treats unknown methods such as "PoSt" as a GET request, which could allow attackers to intended access restrictions if PHP is running on a server that passes on all methods, such as Apache httpd 2.0, as demonstrated using a Limit directive. NOTE: this issue has been disputed by the Apache security team, saying "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
** DISPUTED ** PHP绕过预期的访问限制漏洞
漏洞描述信息
** DISPUTED ** PHP将如"PoSt"的未知类函数作为GET请求,PHP运行在传送所有类函数的服务器上时,攻击者利用该漏洞绕过预期的访问限制,如Apache httpd 2.0版本使用限制指令。
CVSS信息
N/A
漏洞类别
授权问题