Description of problem:
Proxy auto configuration file http://wpad/wpad.dat is reported as false positive.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create file wpad.dat into Apache publish root ()
2. Access http://wpad/wpad.dat
HTTP error 500 is returned.
HTTP 200 and the file is expected.
It would be nice to have a file extension allow example in the configs.
Can you find the log entry (or entries) in the mod_security logs
(modsec_audit.log or similar) relating to this issue? There will be an
identifier that will indicate which rule the request has triggered.
This will enable me to report the issue to the upstream (the Core Rules
maintainer, most likely) appropriately.
Sure. Here goes:
[Mon Apr 09 09:56:17 2007] [error] [client xxx.yyy.zzz.ååå] ModSecurity: Access de
nied with code 500 (phase 1). Pattern match
at REQUEST_BASENAME. [id "960035"] [msg "URL file extension is restricted by
policy"] [severity "CRITICAL"] [hostname "wpad.my.domain"] [uri "/wpad.dat"]
This is part of the upstream package's Core Rules set
(http://www.modsecurity.org/projects/rules/index.html) and as far as I can see
it's working as advertised. (the rule looks for "d(?:bf?|at|ll|os)" and finds it)
I would suggest disabling the rule (or set it to just log) if you can't rename
the file to use another extension.
I am planning to update the existing package to a new ruleset and main package,
which _may_ help your situation.
(In reply to comment #3)
> This is part of the upstream package's Core Rules set
> (http://www.modsecurity.org/projects/rules/index.html) and as far as I can see
> it's working as advertised. (the rule looks for "d(?:bf?|at|ll|os)" and finds it)
Ok. I agree, it works as advertised.
> I would suggest disabling the rule (or set it to just log) if you can't rename
> the file to use another extension.
Look. It is proxy autoconfig. It needs to be wpad.dat. The reason I filed this
bug is that perhaps there could be and exception for this file.
> I am planning to update the existing package to a new ruleset and main package,
> which _may_ help your situation.
If possible, in the files include examples on how to change a rule to be
log-only or how to create an exception for a file or directory. The rules look