PUT requests are altering the contents of the index.php

6 October 2017, 10:12
We are using Hiawatha to serve backends for several mobile apps. One of our apps is communicating with one of its API endpoint with PUT requests.

This is the the backend repo: Connfa Integration Server [], it's actually a Laravel app.

Everytime the mobile apps send PUT requests to updateSchedule endpoint, contents of the public/index.php is overwritten with the JSON data, i.e.:


As you might have easily guessed, this file level alteration renders the whole backend obsolete and mobile apps start to crash, panel becomes inaccessable.

My setup is Hiawatha v10.6, PHP 7.0.19-1, MariaDB 10.1.26 on Debian 9.1. And this is the virtual host config I use on Hiawatha. "EnableAlter = yes" is present at the binding level, scannerblocker UrlToolkit has regexes for bunch of common User-Agents and scannerblocker UrlToolkit blocks requests to alternative locations of phpMyAdmin and several other locations for xmlrpc etc. (Forum didn't allow me to post the message with their content, I had to remove them in order get pass the spam detection).

UrlToolkit {
ToolkitID = laravel
RequestURI exists Return
Match [^?]*(\?.*)? Rewrite /index.php$1

VirtualHost {
Hostname = app.domain.tld
WebsiteRoot = /var/www/app.domain.tld/http/public
StartFile = index.php
Alias = /logs:/var/www/app.domain.tld/logs
UseLocalConfig = yes
AccessLogfile = /var/www/app.domain.tld/logs/access.log
ErrorLogfile = /var/www/app.domain.tld/logs/error.log
AlterList = allow all
TimeForCGI = 50
UseFastCGI = PHP7
UseToolkit = scannerblocker
UseToolkit = vulnerabilityblocker
UseToolkit = laravel
DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
DenyBody = ^.*%3Cmeta.*%2F%3E.*$
DenyBody = ^.*%3Ciframe.*%2F%3E.*$
DenyBody = ^.*%00.*$
PreventCSRF = yes
PreventXSS = yes
RandomHeader = 250
CustomHeader = X-Frame-Options: DENY
CustomHeader = X-XSS-Protection: 1; mode=block
CustomHeader = X-Content-Type-Options: nosniff
CustomHeader = Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' 'unsafe-dynamic' http:; form-action 'self'; frame-ancestors 'none';$

Trying different things for a couple of days now, but couldn't solve it yet. So I thought the issue might be related to Hiawatha. To be sure, I moved the backend to another server, which runs nginx, and I used the virtual host config below:

server {
listen 80;
root /var/www/app.domain.tld/http/public;
index index.php index.html index.htm;
access_log /var/www/app.domain.tld/logs/access.log;
error_log /var/www/app.domain.tld/logs/error.log;

server_name app.domain.tld;

location / {
try_files $uri $uri/ /index.php?$query_string;
dav_methods put;
client_body_temp_path /var/www/app.domain.tld/http/public/temp;
create_full_put_path on;
client_max_body_size 0;
dav_access user:rw group:rw all:rw;

location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php5-fpm.sock;

Mobile apps communicate successfuly with the backend with nginx and index.php left unaltered.

Am I doing something wrong in my Hiawatha setup? Or did I unintentionally step on a bug here?
Hugo Leisink
8 October 2017, 16:06
Use the following setting for your virtual host:
VirtualHost {
WebDAVapp = yes
David Oliver
9 October 2017, 21:21
I usually set app files' permissions so that they're not writeable by PHP and the webserver.

Out of interest, what is the reason here that a PHP file is being overwritten?
Hugo Leisink
10 October 2017, 08:03
Because of the PUT request. A PUT request means: replace the content of the file with the request body.
11 October 2017, 12:49
Sorry for missing that part on the manual Hugo, thanks for pointing out, appreciated.

Problem has been solved.
This topic has been closed.