CVE-2003-0249

Name of the Vulnerable Software and Affected Versions: PHP (affected versions not specified) Apache httpd 2.0

Description: The issue allows attackers to bypass intended access restrictions if PHP is running on a server that passes on all methods. This is because PHP treats unknown methods, such as PoSt, as a GET request. The Apache security team has disputed this issue, stating it is by design that PHP allows scripts to process any request method and that per-method access control cannot be implemented using the Apache configuration alone.

Recommendations: For PHP, consider explicitly verifying the request method in scripts to prevent processing of arbitrary methods. For Apache httpd 2.0, as a temporary workaround, consider restricting the use of the Limit directive to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.