Skip to content

Instantly share code, notes, and snippets.

@afuggini

afuggini/clarin-put-delete-findings.md

Created February 9, 2026 18:24
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save afuggini/fd8c2c9ae4cd1725f009c57e318e5a79 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save afuggini/fd8c2c9ae4cd1725f009c57e318e5a79 to your computer and use it in GitHub Desktop.
Download ZIP
Clarín PUT/DELETE Vulnerability Report - Feb 2026
Raw
clarin-put-delete-findings.md

🚨 Clarín - PUT/DELETE Vulnerability Report

Date: 2026-02-09
Severity: MEDIUM-HIGH
Target: www.clarin.com

Executive Summary

The Clarín web server accepts PUT and DELETE HTTP methods on valid paths and returns HTTP 200. While the content may not be actively modified, this represents a security misconfiguration that violates best practices.

Findings

Paths Accepting PUT (HTTP 200)

Path PUT Response DELETE Response
/ 200 ✅ Accepts 200 ✅ Accepts
/login 200 ✅ Accepts 200 ✅ Accepts
/videos 200 ✅ Accepts 200 ✅ Accepts
/wp-login 200 ✅ Accepts 200 ✅ Accepts

Content Types Tested (All Return 200)

  • application/json → 200
  • application/x-www-form-urlencoded → 200
  • multipart/form-data → 200
  • text/xml → 200

Proof of Concept

# PUT request on homepage - returns 200
curl -X PUT https://www.clarin.com/ \
  -H "Content-Type: application/json" \
  -d '{"test": "data"}' \
  -w "\nHTTP Code: %{http_code}\n"

# DELETE request on homepage - returns 200
curl -X DELETE https://www.clarin.com/ \
  -w "\nHTTP Code: %{http_code}\n"

# Expected secure response: 405 Method Not Allowed
# Actual response: 200 OK

Risk Analysis

Current Behavior

The server returns the normal page content for PUT/DELETE requests, suggesting:

  1. Methods are accepted but possibly ignored (server treats as GET)
  2. OR the framework/CDN is not properly blocking these methods

Why This Is Still a Problem

  1. Violation of HTTP Standards: PUT should modify, DELETE should remove. Returning 200 implies success.

  2. Attack Surface: An attacker scanning for API endpoints might find one that DOES process PUT/DELETE.

  3. Security Tools Flagging: Automated scanners (Burp, OWASP ZAP, Nessus) will flag this as a vulnerability.

  4. Potential for Future Vulnerabilities: If a developer adds an endpoint that processes these methods without proper auth, it's immediately exploitable.

  5. WAF Bypass: If backend APIs exist, PUT/DELETE being allowed at the CDN level could allow bypassing protections.

Severity Assessment

Factor Rating
Exploitability Medium (methods accepted, impact unclear)
Impact Medium-High (potential for data modification)
CVSS Estimate 5.3 - 6.5 (Medium)

Recommended Fix

Nginx

# Block dangerous methods at server level
if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$) {
    return 405;
}

Apache

<LimitExcept GET HEAD POST OPTIONS>
    Require all denied
</LimitExcept>

Cloudflare (WAF Rule)

(http.request.method in {"PUT" "DELETE" "PATCH" "CONNECT" "TRACE"})
→ Block

Verification After Fix

After implementing the fix, run:

curl -X PUT https://www.clarin.com/ -w "%{http_code}"
# Expected: 405

curl -X DELETE https://www.clarin.com/ -w "%{http_code}"  
# Expected: 405

References

  • OWASP: Test HTTP Methods
  • CWE-749: Exposed Dangerous Method or Function
  • RFC 7231: HTTP/1.1 Semantics and Content

Report generated by Bounty Hunt CLI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment