Our security team ran a web-inspect security scan on our Drupal 7 site and reported that our site is vulnerable to verb tunneling using headers or query parameters such as X-HTTP-Method, X-HTTP-Method-Override, X-Method-Override, or a query parameter such as _method to use an override method to gain access to restricted HTTP methods. Not sure if this is a legitimate vulnerability for drupal 7 or can these kind of HTTP headers for verb tunneling be disabled?. Any response is greatly appreciated. We are using nginx and php-fpm on a Linux server for our Drupal 7 application. 

Comments

Jean Mercedes’s picture

Hello, @srirams.

I am facing the same problem in drupal 8, I have spent a lot of time researching but still can't find a solution. Have you been lucky to resolve the error? To avoid this vulnerability, should I use a configuration on the server or in Drupal?

If anyone else has been able to resolve this error, please comment.

Thank you,