Mod Security converts PUT requests to GET requests

Recently, I was on an admin system on one of my websites and noticed that some of the AJAX requests had stopped working. They worked for fetching data, and creating it, but I could not update to delete anything. I tried another website. It happened there, too.

Initially, Slim was telling me it was a 405 Method Now Allowed. But I could see I was sending a PUT and the exception said it must be of type PUT. Very weird. In the end, I decided to output the $_SERVER[‘REQUEST_METHOD’] to see what was going on. It said it was a GET request.

I pulled up Paw, my desktop request client, and manually sent a PUT request to a file I had created to print the request method. It too said GET. By this point then, I knew that it probably Apache converting the request from a PUT to a GET. Or more likely that I was sending a PUT but it was returning a 403 Forbidden as a GET request for some reason.

The answer eventually came in the form of Mod Security. It uses something called OWASP ModSecurity 2.9 Core Rule Set v3.3.2 which allows GET and POST requests but denies PUT and DELETE requests. I am not sure why this is as they are legitimate verbs to be using, but when I altered this to allow PUT requests, everything started working fine again.

Timeline

Newsletter

Don't have time to check my blog? Get a weekly email with all the new posts. This is my personal blog, so obviously it is 100% spam free.

Metadata

Tags: ,

This entry was posted on Sunday, September 18th, 2022 at 11:00 am and is filed under Tech. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.