Description

By manipulating the HTTP verb it was possible to bypass the authorization on this directory. The scanner sent a request with a custom HTTP verb (WVS in this case) and managed to bypass the authorization. The attacker can also try any of the valid HTTP verbs, such as HEAD, TRACE, TRACK, PUT, DELETE, and many more.

An application is vulnerable to HTTP Verb tampering if the following conditions hold:

  • it uses a security control that lists HTTP verbs
  • the security control fails to block verbs that are not listed
  • it has GET functionality that is not idempotent or will execute with an arbitrary HTTP verb

For example, Apache with .htaccess is vulnerable if HTTP verbs are specified using the LIMIT keyword:

require valid-user

Remediation

In the case of Apache + .htaccess, don't use HTTP verb restrictions or use LimitExcept.
Check references for more information on how to fix this problem on other platforms.

References

Testing for HTTP Verb Tampering (OTG-INPVAL-003)

Related Vulnerabilities

Joomla! Core 1.6.x Security Bypass (1.6.0 - 1.6.6)

WordPress Plugin Adminer Security Bypass (1.4.5)

WordPress Plugin Stylish Price List Security Bypass (6.9.0)

WordPress Plugin WooCommerce BuddyPress Integration Security Bypass (3.2.5)

WordPress Plugin Elementor Website Builder Security Bypass (3.0.13)

Severity

High

Classification

CWE-285 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Tags

Authentication Bypass Configuration