diff --git a/classes/module/ModuleHandler.class.php b/classes/module/ModuleHandler.class.php
index 9fadc71aa..a1a21c1b4 100644
--- a/classes/module/ModuleHandler.class.php
+++ b/classes/module/ModuleHandler.class.php
@@ -525,6 +525,34 @@ class ModuleHandler extends Handler
 				$tpl_path = $oModule->getTemplatePath();
 				$orig_module = $oModule;
 
+				$xml_info = $oModuleModel->getModuleActionXml($forward->module);
+
+				// SECISSUE also check foward act method
+				// check REQUEST_METHOD in controller
+				if($type == 'controller')
+				{
+					$allowedMethod = $xml_info->action->{$forward->act}->method;
+
+					if(!$allowedMethod)
+					{
+						$allowedMethodList[0] = 'POST';
+					}
+					else
+					{
+						$allowedMethodList = explode('|', strtoupper($allowedMethod));
+					}
+
+					if(!in_array(strtoupper($_SERVER['REQUEST_METHOD']), $allowedMethodList))
+					{
+						$this->error = "msg_invalid_request";
+						$oMessageObject = ModuleHandler::getModuleInstance('message', $display_mode);
+						$oMessageObject->setError(-1);
+						$oMessageObject->setMessage($this->error);
+						$oMessageObject->dispMessage();
+						return $oMessageObject;
+					}
+				}
+
 				if($type == "view" && Mobile::isFromMobilePhone())
 				{
 					$orig_type = "view";
@@ -557,8 +585,6 @@ class ModuleHandler extends Handler
 					return $oMessageObject;
 				}
 
-				$xml_info = $oModuleModel->getModuleActionXml($forward->module);
-
 				if($this->module == "admin" && $type == "view")
 				{
 					if($logged_info->is_admin == 'Y')