{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/middleware-bypass/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["flightphp/core (\u003c 3.18.1)"],"_cs_severities":["high"],"_cs_tags":["csrf","middleware-bypass","cache-poisoning","http-method-override"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eFlightPHP versions prior to 3.18.1 are vulnerable to HTTP method override. The vulnerability resides in the \u003ccode\u003eRequest::getMethod()\u003c/code\u003e function within \u003ccode\u003eflight/net/Request.php\u003c/code\u003e. The application unconditionally honors the \u003ccode\u003eX-HTTP-Method-Override\u003c/code\u003e header and the \u003ccode\u003e$_REQUEST['_method']\u003c/code\u003e parameter, even on safe HTTP verbs like GET. This behavior allows an attacker to modify the intended HTTP method, potentially leading to Cross-Site Request Forgery (CSRF) escalation, bypassing of authentication and rate-limiting middleware, and CDN cache poisoning. This vulnerability was discovered by @Rootingg and patched in version 3.18.1 (commit b8dd23a) by introducing the \u003ccode\u003eflight.allow_method_override\u003c/code\u003e setting. Disabling this setting mitigates the vulnerability by ignoring method overrides.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a FlightPHP application using a version prior to 3.18.1.\u003c/li\u003e\n\u003cli\u003eThe attacker locates an endpoint that performs a sensitive action using an unsafe HTTP method (e.g., DELETE, PUT).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting the vulnerable endpoint, using a GET request with either the \u003ccode\u003e_method\u003c/code\u003e parameter (e.g., \u003ccode\u003e/?_method=DELETE\u003c/code\u003e) or the \u003ccode\u003eX-HTTP-Method-Override\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eFor CSRF, the attacker embeds the malicious URL within an HTML \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tag on a website they control.\u003c/li\u003e\n\u003cli\u003eA victim visits the attacker\u0026rsquo;s website, and their browser automatically sends a GET request to the vulnerable application.\u003c/li\u003e\n\u003cli\u003eThe FlightPHP application incorrectly interprets the GET request as the specified unsafe method (e.g., DELETE) due to the \u003ccode\u003e_method\u003c/code\u003e parameter or \u003ccode\u003eX-HTTP-Method-Override\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe application executes the sensitive action (e.g., deleting a resource) on behalf of the victim without proper authorization.\u003c/li\u003e\n\u003cli\u003eAlternatively, if middleware checks HTTP method to apply controls, this can be bypassed by issuing a GET request with a forged \u003ccode\u003e_method\u003c/code\u003e parameter or \u003ccode\u003eX-HTTP-Method-Override\u003c/code\u003e header.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have several significant impacts. It allows attackers to perform CSRF attacks, potentially leading to unauthorized data modification or deletion. Attackers can bypass security middleware that relies on HTTP method verification, gaining unauthorized access to protected resources. The vulnerability also enables CDN cache poisoning, where the CDN caches the response of a GET request that was actually processed as a DELETE or PUT, serving incorrect content to future users. The exact number of affected FlightPHP applications is unknown, but any application using a vulnerable version is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FlightPHP to version 3.18.1 or later to patch CVE-2026-42551.\u003c/li\u003e\n\u003cli\u003eSet the \u003ccode\u003eflight.allow_method_override\u003c/code\u003e setting to \u003ccode\u003efalse\u003c/code\u003e to disable HTTP method overriding as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FlightPHP HTTP Method Override via _method Parameter\u003c/code\u003e to detect exploitation attempts using the \u003ccode\u003e_method\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect FlightPHP HTTP Method Override via X-HTTP-Method-Override Header\u003c/code\u003e to detect exploitation attempts using the \u003ccode\u003eX-HTTP-Method-Override\u003c/code\u003e header.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-26-flightphp-http-override/","summary":"A vulnerability in FlightPHP core versions before 3.18.1 allows attackers to override HTTP methods via the `X-HTTP-Method-Override` header or `_method` parameter, leading to CSRF escalation, middleware bypass, and cache poisoning.","title":"FlightPHP HTTP Method Override Vulnerability Leads to CSRF and Middleware Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-26-flightphp-http-override/"}],"language":"en","title":"CraftedSignal Threat Feed — Middleware-Bypass","version":"https://jsonfeed.org/version/1.1"}