Many URL authentication and authorization mechanisms make security decisions based on the HTTP verb in the request. Many of these mechanisms work in a counter-intuitive way. This fact, in combination with some oddities in the way that both web and application servers handle unexpected HTTP verbs causes the rules dictated by those mechanisms to be bypassable. This article goes into detail discussing this vulnerability and how the various vendors are affected. What do you think about this attack do you think we should be concerned?

The link for this article located at webappsec is no longer available.