Bug #98264
Updated by Stefan P over 1 year ago
The class @TYPO3\CMS\Core\Http\Request@ will log any "unsupported" HTTP method as an Exception to the logs. @\InvalidArgumentException('Unsupported HTTP method "' . $method . '".', 1436717275);@
Knowing this one can exploit any modern TYPO3 setup by simply doing @curl -XUNKWNONMETHOD https://target-host@ in a "slow" loop (slow enough to not be considered a DoS) and spam everyones @sys_log@.
The correct way of handling an unsupported method is by answering with @501 (Not Implemented)@. Implmented)@.
Discovered in v10, but still valid in current master.