Apache Week
   

Copyright 1996-2005
Red Hat, Inc.

First published: 22nd March 2002

Apache 1.3.24 Released

Apache 1.3.24 was released on 22nd March 2002 and is now the latest version of the Apache server. The previous release was 1.3.22, released on the 24th January 2002. See what was new in Apache 1.3.23.

Apache 1.3.24 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site.

This is a security, bug fix and minor upgrade release, with a few new features. Users should upgrade if they are running on Windows, will be affected by the particular bugs mentioned below, or would like to use any of the new features.

Due to security issues, any sites using versions prior to Apache 1.3.22 should upgrade to at least Apache 1.3.22. Read more about all the security issues that affect Apache 1.3.

Security issues

  • Apache for Win32 before 1.3.24 allows remote attackers to execute arbitrary commands via parameters passed to batch file CGI scripts. More details in Apache Week issue 288 or CAN-2002-0061

    The problem occurs because the input is not properly validated; it is possible to append commands as parameters to the batch file CGI script and have the shell interpreter execute them

    The characters % and \r have been added to the dangerous Win32/OS2 characters list, and the command line is now passed to the interpreter double quoted. In addition Apache now introduces earlier identification of command.com vs cmd.exe, and treats command.com as a 16-bit application

    As additional protection in case future CGI argument vulnerabilities are discovered, a new directive CgiCommandArgs off has been added to allow administrators to completely disable the query argument passing mechanism in Apache

  • A bug was found that could cause invalid hostnames to appear in Apache log files. If a double-reverse lookup was performed (for example for Allow from .example.com) but failed, then a spoofed dns-reverse-address could appear in the logs. Note this bug doesn't give any access to protected resources, it only affects what gets written to the log file

New features

The main new features in 1.3.24 (compared to 1.3.23) are:

  • Add IgnoreCase keyword to the IndexOptions directive to allow filename listings to ignore case
  • The proxy code read chunks from the backend server in a hardcoded amount of 8192 bytes. A new directive ProxyIOBufferSize has been added to specify the size of the read buffer from the remote server
  • Previously the proxy would wait until the response had been delivered to the client completely before closing the backend connection. Now the backend connection is closed as soon as the last byte is read from it, freeing up resources
  • mod_alias writes a warning to the error log if it fixes up a incomplete redirection target (such as turning /foo into http://host/foo). Since this is a supported operation the message has been demoted so that it will only show up at LogLevel Debug
  • When using mod_proxy to access FTP sites it was impossible to reach a higher directory than the logged in directory, as combinations of /../ are interpreted by the browser and not sent to the server. This problem affects other proxies as well. The Squid proxy uses a "Squid %2f hack" which has been adapted to work in Apache. By prepending /%2f to the path of your request, you can make the proxy change the FTP starting directory to / instead of starting at the home directory for the logged in user

The main new features that apply to specific platforms are:

  • Provide new logging to assist Win32 users debug CGI scripts. When at LogLevel info the cgi command invoked is logged. When at LogLevel debug the environment variables are also logged
  • Added a logging module for NetWare, mod_log_nw, as NetWare is unable to use the RotateLog utility
  • Added a -e command line directive for NetWare to force all fatal configuration file errors to the logger screen. This allows Apache to shutdown cleanly and completely on an error condition

Bugs fixed

The following bugs were found in Apache 1.3.23 and have been fixed in Apache 1.3.24:

  • Fix a segfault condition in mod_include which could be triggered by improper termination of conditional directives such as #if
  • Fix a problem in mod_proxy where the Server header from the backend system would be replaced by one from Apache. This violated RFC2616. This fix has introduced a further issue which allows modules to override the Server header, but this will be fixed in the next release
  • There is a problem in mod_proxy where each entry of a duplicated header such as Set-Cookie would overwrite the previous value of the header, resulting in multiple header values (like cookies) going missing. A fix was committed to 1.3.24 but doesn't fix the problem
  • Fixes to apxs to allow the -S option to contain quotes, and to rebuild apxs when options have been changed
  • The Location response header, used for external redirects, must be an absolute URI. The Redirect directive tested for that, but RedirectMatch did not and would allow almost anything through
  • Fix a longstanding bug that errors returned by src/Configure would not be noticed by the top level configure script. That was bad for automated production environments, as errors would pass through unnoticed
  • mod_proxy would send a HTTP/1.0 request even though it is now compliant with HTTP/1.1
  • A number of other changes have been made to FTP handling in mod_proxy including properly escaping file names from directory listings, a cleanup to the output HTML, the output of directory listings in ASCII to avoid issues with EBCDIC servers, and the closing of the data and control channels to the server properly
  • Previous fixes to mod_rewrite in Apache 1.3.23 broke the ability to do random balancing. PR#10090, PR#10185

The following bugs relate to specific platforms:

  • The Win32 port has had the remaining cases of blocking network IO eliminated
  • A change has been made on TPF to make make the ap_open_logs call the same as other platforms and prevent a possible SIGPIPE in standalone_main
  • Work around a bug in Windows XP that caused data corruption on writes to the network
  • The support for enabling pthreads-based accept() serialization using the AcceptMutex configuration directive suffered from a serious problem on Solaris platforms as the pthreads library was not being linked into the httpd executable. This meant stub versions of the mutex functions are used from the C library, which resulted in no serialization being enforced

This feature brought to you by: Mark J Cox
Comments or criticisms? Please email us at editors@apacheweek.com