Bug 236063 - Proxy auto config reported as false positive
Proxy auto config reported as false positive
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: mod_security (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Michael Fleming
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-11 15:05 EDT by Jari Turkia
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-17 08:39:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jari Turkia 2007-04-11 15:05:23 EDT
Description of problem:
Proxy auto configuration file http://wpad/wpad.dat is reported as false positive.

Version-Release number of selected component (if applicable):
2.1.0-3.fc6

How reproducible:
Always. Easily.

Steps to Reproduce:
1. Create file wpad.dat into Apache publish root ()
2. Access http://wpad/wpad.dat
  
Actual results:
HTTP error 500 is returned.

Expected results:
HTTP 200 and the file is expected.

Additional info:
It would be nice to have a file extension allow example in the configs.
Comment 1 Michael Fleming 2007-04-18 05:51:47 EDT
Hi,

Can you find the log entry (or entries) in the mod_security logs
(modsec_audit.log  or similar) relating to this issue? There will be an
identifier that will indicate which rule the request has triggered.

This will enable me to report the issue to the upstream (the Core Rules
maintainer, most likely) appropriately.
Comment 2 Jari Turkia 2007-04-18 09:33:24 EDT
Sure. Here goes:

[Mon Apr 09 09:56:17 2007] [error] [client xxx.yyy.zzz.ååå] ModSecurity: Access de
nied with code 500 (phase 1). Pattern match
"\\\\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|s(?:html?|ql|tm|ys)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|l(?:icx|nk|og)|\\\\w{,5}~|webinfo|ht[rw]|xs..."
at REQUEST_BASENAME. [id "960035"] [msg "URL file extension is restricted by
policy"] [severity "CRITICAL"] [hostname "wpad.my.domain"] [uri "/wpad.dat"]
unique_id "iKokRcCoCAEAACmtslwAAAAD"]
Comment 3 Michael Fleming 2007-06-17 08:39:49 EDT
This is part of the upstream package's Core Rules set
(http://www.modsecurity.org/projects/rules/index.html) and as far as I can see
it's working as advertised. (the rule looks for "d(?:bf?|at|ll|os)" and finds it) 

I would suggest disabling the rule (or set it to just log) if you can't rename
the file to use another extension.

I am planning to update the existing package to a new ruleset and main package,
which _may_ help your situation.
Comment 4 Jari Turkia 2007-06-18 05:48:20 EDT
(In reply to comment #3)
> This is part of the upstream package's Core Rules set
> (http://www.modsecurity.org/projects/rules/index.html) and as far as I can see
> it's working as advertised. (the rule looks for "d(?:bf?|at|ll|os)" and finds it) 

Ok. I agree, it works as advertised.
 
> I would suggest disabling the rule (or set it to just log) if you can't rename
> the file to use another extension.

Look. It is proxy autoconfig. It needs to be wpad.dat. The reason I filed this
bug is that perhaps there could be and exception for this file.

> I am planning to update the existing package to a new ruleset and main package,
> which _may_ help your situation.

Great!

If possible, in the files include examples on how to change a rule to be
log-only or how to create an exception for a file or directory. The rules look
very complex.

Note You need to log in before you can comment on or make changes to this bug.