236063 – Proxy auto config reported as false positive

Bug 236063 - Proxy auto config reported as false positive

Summary: Proxy auto config reported as false positive

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	mod_security
Sub Component:
Version:	6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Michael Fleming
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-04-11 19:05 UTC by Jari Turkia
Modified:	2007-11-30 22:12 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2007-06-17 12:39:49 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jari Turkia 2007-04-11 19:05:23 UTC

Description of problem:
Proxy auto configuration file http://wpad/wpad.dat is reported as false positive.

Version-Release number of selected component (if applicable):
2.1.0-3.fc6

How reproducible:
Always. Easily.

Steps to Reproduce:
1. Create file wpad.dat into Apache publish root ()
2. Access http://wpad/wpad.dat
  
Actual results:
HTTP error 500 is returned.

Expected results:
HTTP 200 and the file is expected.

Additional info:
It would be nice to have a file extension allow example in the configs.

Comment 1 Michael Fleming 2007-04-18 09:51:47 UTC

Hi,

Can you find the log entry (or entries) in the mod_security logs
(modsec_audit.log  or similar) relating to this issue? There will be an
identifier that will indicate which rule the request has triggered.

This will enable me to report the issue to the upstream (the Core Rules
maintainer, most likely) appropriately.

Comment 2 Jari Turkia 2007-04-18 13:33:24 UTC

Sure. Here goes:

[Mon Apr 09 09:56:17 2007] [error] [client xxx.yyy.zzz.ååå] ModSecurity: Access de
nied with code 500 (phase 1). Pattern match
"\\\\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|l(?:icx|nk|og)|\\\\w{,5}~|webinfo|ht[rw]|xs..."
at REQUEST_BASENAME. [id "960035"] [msg "URL file extension is restricted by
policy"] [severity "CRITICAL"] [hostname "wpad.my.domain"] [uri "/wpad.dat"]
unique_id "iKokRcCoCAEAACmtslwAAAAD"]

Comment 3 Michael Fleming 2007-06-17 12:39:49 UTC

This is part of the upstream package's Core Rules set
(http://www.modsecurity.org/projects/rules/index.html) and as far as I can see
it's working as advertised. (the rule looks for "d(?:bf?|at|ll|os)" and finds it) 

I would suggest disabling the rule (or set it to just log) if you can't rename
the file to use another extension.

I am planning to update the existing package to a new ruleset and main package,
which _may_ help your situation.

Comment 4 Jari Turkia 2007-06-18 09:48:20 UTC

(In reply to comment #3)
> This is part of the upstream package's Core Rules set
> (http://www.modsecurity.org/projects/rules/index.html) and as far as I can see
> it's working as advertised. (the rule looks for "d(?:bf?|at|ll|os)" and finds it) 

Ok. I agree, it works as advertised.
 
> I would suggest disabling the rule (or set it to just log) if you can't rename
> the file to use another extension.

Look. It is proxy autoconfig. It needs to be wpad.dat. The reason I filed this
bug is that perhaps there could be and exception for this file.

> I am planning to update the existing package to a new ruleset and main package,
> which _may_ help your situation.

Great!

If possible, in the files include examples on how to change a rule to be
log-only or how to create an exception for a file or directory. The rules look
very complex.

Note You need to log in before you can comment on or make changes to this bug.