Flight PHP X-HTTP-Method-Override Header Handling Vulnerability Allowing CSRF Escalation

A vulnerability in Flight PHP versions prior to 3.18.1 allows for Cross-Site Request Forgery (CSRF) escalation by improperly handling the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter. The Request::getMethod() function unconditionally accepts these overrides on any HTTP verb, including safe methods like GET, without any opt-in or whitelist of allowed methods. This flaw enables a GET request to be silently transformed into a DELETE or PUT request, potentially disrupting middleware that relies on HTTP verb safety and causing cache poisoning between Content Delivery Networks (CDN) and the origin server.

Impact

Exploitation of this vulnerability allows GET requests to be converted into DELETE or PUT requests, bypassing middleware that protects against such actions. This could lead to unauthorized modifications or deletions of resources. Additionally, the vulnerability can cause cache poisoning, where a CDN caches a response from a GET request while the origin server has processed a DELETE request, creating inconsistencies.

Reproduction

The vulnerability can be reproduced by sending a GET request to a route that accepts unsafe verbs, such as DELETE or PUT, while including the '_method' parameter set to the desired verb. Alternatively, the X-HTTP-Method-Override header can be used to achieve the same effect. This can be done manually or through a simple CSRF attack, such as embedding an image tag that points to the vulnerable endpoint with the overridden method.

Remediation

Users can upgrade to Flight PHP version 3.18.1 or later, where this vulnerability is fixed. In version 3.18.1, a new setting called 'flight.allow_method_override' has been introduced, allowing operators to disable method overrides via the X-HTTP-Method-Override header and the '_method' parameter.