CVE-2020-35239
📋 TL;DR
This vulnerability in CakePHP allows attackers to bypass CSRF protection by manipulating HTTP method override parameters. Attackers can submit arbitrary strings as HTTP methods that aren't validated, enabling CSRF attacks against authenticated users. All CakePHP applications using affected versions with CSRF protection enabled are vulnerable.
💻 Affected Systems
- CakePHP
📦 What is this software?
Cakephp by Cakephp
⚠️ Risk & Real-World Impact
Worst Case
Attackers can perform state-changing actions on behalf of authenticated users, including account takeover, data manipulation, or administrative actions if the victim has elevated privileges.
Likely Case
Attackers can trick authenticated users into performing unintended actions like changing passwords, making purchases, or modifying data through crafted requests.
If Mitigated
With proper input validation and CSRF token requirements, the attack surface is reduced, but the fundamental bypass remains possible until patched.
🎯 Exploit Status
Exploitation requires the victim to be authenticated and tricked into visiting a malicious page. The bypass technique is straightforward once understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.4 or later
Vendor Advisory: https://bakery.cakephp.org/2020/12/07/cakephp_4010_released.html
Restart Required: No
Instructions:
1. Update CakePHP to version 4.1.4 or later using composer: 'composer require cakephp/cakephp:^4.1.4' 2. Clear application cache: 'bin/cake cache clear_all' 3. Verify the update with 'composer show cakephp/cakephp'
🔧 Temporary Workarounds
Disable method override
allDisable HTTP method override functionality in your application configuration
In config/app.php set 'App.base' to false or remove method override middleware
Custom CSRF validation
allImplement custom CSRF validation that validates HTTP methods strictly
Create custom middleware that extends CsrfProtectionMiddleware and adds method validation
🧯 If You Can't Patch
- Implement additional CSRF protection layers like SameSite cookies or custom token validation
- Use web application firewall rules to block requests with unusual HTTP methods
🔍 How to Verify
Check if Vulnerable:
Check CakePHP version with 'composer show cakephp/cakephp' and verify if between 4.0.0-4.1.3Check Version:
composer show cakephp/cakephp | grep versionsVerify Fix Applied:
Confirm version is 4.1.4 or later with 'composer show cakephp/cakephp' and test CSRF protection with method override attempts📡 Detection & Monitoring
Log Indicators:
- HTTP requests with unusual method names (not GET/POST/PUT/DELETE/etc)
- CSRF validation failures followed by successful requests with different methods
Network Indicators:
- Requests containing _method parameter with non-standard HTTP methods
- POST requests that should fail CSRF but succeed
SIEM Query:
http.method NOT IN ('GET','POST','PUT','DELETE','HEAD','OPTIONS','PATCH') AND http.user_agent CONTAINS 'CakePHP'