Description of problem: Proxy auto configuration file http://wpad/wpad.dat is reported as false positive. Version-Release number of selected component (if applicable): 2.1.0-3.fc6 How reproducible: Always. Easily. Steps to Reproduce: 1. Create file wpad.dat into Apache publish root () 2. Access http://wpad/wpad.dat Actual results: HTTP error 500 is returned. Expected results: HTTP 200 and the file is expected. Additional info: It would be nice to have a file extension allow example in the configs.
Hi, Can you find the log entry (or entries) in the mod_security logs (modsec_audit.log or similar) relating to this issue? There will be an identifier that will indicate which rule the request has triggered. This will enable me to report the issue to the upstream (the Core Rules maintainer, most likely) appropriately.
Sure. Here goes: [Mon Apr 09 09:56:17 2007] [error] [client xxx.yyy.zzz.ååå] ModSecurity: Access de nied with code 500 (phase 1). Pattern match "\\\\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|l(?:icx|nk|og)|\\\\w{,5}~|webinfo|ht[rw]|xs..." at REQUEST_BASENAME. [id "960035"] [msg "URL file extension is restricted by policy"] [severity "CRITICAL"] [hostname "wpad.my.domain"] [uri "/wpad.dat"] unique_id "iKokRcCoCAEAACmtslwAAAAD"]
This is part of the upstream package's Core Rules set (http://www.modsecurity.org/projects/rules/index.html) and as far as I can see it's working as advertised. (the rule looks for "d(?:bf?|at|ll|os)" and finds it) I would suggest disabling the rule (or set it to just log) if you can't rename the file to use another extension. I am planning to update the existing package to a new ruleset and main package, which _may_ help your situation.
(In reply to comment #3) > This is part of the upstream package's Core Rules set > (http://www.modsecurity.org/projects/rules/index.html) and as far as I can see > it's working as advertised. (the rule looks for "d(?:bf?|at|ll|os)" and finds it) Ok. I agree, it works as advertised. > I would suggest disabling the rule (or set it to just log) if you can't rename > the file to use another extension. Look. It is proxy autoconfig. It needs to be wpad.dat. The reason I filed this bug is that perhaps there could be and exception for this file. > I am planning to update the existing package to a new ruleset and main package, > which _may_ help your situation. Great! If possible, in the files include examples on how to change a rule to be log-only or how to create an exception for a file or directory. The rules look very complex.