Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 236063 - Proxy auto config reported as false positive
Summary: Proxy auto config reported as false positive
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: mod_security
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Michael Fleming
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-11 19:05 UTC by Jari Turkia
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-06-17 12:39:49 UTC


Attachments (Terms of Use)

Description Jari Turkia 2007-04-11 19:05:23 UTC
Description of problem:
Proxy auto configuration file http://wpad/wpad.dat is reported as false positive.

Version-Release number of selected component (if applicable):
2.1.0-3.fc6

How reproducible:
Always. Easily.

Steps to Reproduce:
1. Create file wpad.dat into Apache publish root ()
2. Access http://wpad/wpad.dat
  
Actual results:
HTTP error 500 is returned.

Expected results:
HTTP 200 and the file is expected.

Additional info:
It would be nice to have a file extension allow example in the configs.

Comment 1 Michael Fleming 2007-04-18 09:51:47 UTC
Hi,

Can you find the log entry (or entries) in the mod_security logs
(modsec_audit.log  or similar) relating to this issue? There will be an
identifier that will indicate which rule the request has triggered.

This will enable me to report the issue to the upstream (the Core Rules
maintainer, most likely) appropriately.

Comment 2 Jari Turkia 2007-04-18 13:33:24 UTC
Sure. Here goes:

[Mon Apr 09 09:56:17 2007] [error] [client xxx.yyy.zzz.ååå] ModSecurity: Access de
nied with code 500 (phase 1). Pattern match
"\\\\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|l(?:icx|nk|og)|\\\\w{,5}~|webinfo|ht[rw]|xs..."
at REQUEST_BASENAME. [id "960035"] [msg "URL file extension is restricted by
policy"] [severity "CRITICAL"] [hostname "wpad.my.domain"] [uri "/wpad.dat"]
unique_id "iKokRcCoCAEAACmtslwAAAAD"]

Comment 3 Michael Fleming 2007-06-17 12:39:49 UTC
This is part of the upstream package's Core Rules set
(http://www.modsecurity.org/projects/rules/index.html) and as far as I can see
it's working as advertised. (the rule looks for "d(?:bf?|at|ll|os)" and finds it) 

I would suggest disabling the rule (or set it to just log) if you can't rename
the file to use another extension.

I am planning to update the existing package to a new ruleset and main package,
which _may_ help your situation.


Comment 4 Jari Turkia 2007-06-18 09:48:20 UTC
(In reply to comment #3)
> This is part of the upstream package's Core Rules set
> (http://www.modsecurity.org/projects/rules/index.html) and as far as I can see
> it's working as advertised. (the rule looks for "d(?:bf?|at|ll|os)" and finds it) 

Ok. I agree, it works as advertised.
 
> I would suggest disabling the rule (or set it to just log) if you can't rename
> the file to use another extension.

Look. It is proxy autoconfig. It needs to be wpad.dat. The reason I filed this
bug is that perhaps there could be and exception for this file.

> I am planning to update the existing package to a new ruleset and main package,
> which _may_ help your situation.

Great!

If possible, in the files include examples on how to change a rule to be
log-only or how to create an exception for a file or directory. The rules look
very complex.



Note You need to log in before you can comment on or make changes to this bug.