Apache Week
   Issue 216, 22nd September 2000:  

Copyright 1996-2005
Red Hat, Inc.

In this issue

Security vulnerability in mod_rewrite

The Apache development list this week contains a fix for a security issue that affects previous versions of Apache, including Apache 1.3.12. Apache is only vulnerable if you use mod_rewrite and a specific case of the directive RewriteRule. If the result of a RewriteRule is a filename that contains regular expression references then an attacker may be able to access any file on the web server.

Here are some example RewriteRule directives. The first is vulnerable, but the others are not

RewriteRule    /test/(.*)        /usr/local/data/test-stuff/$1
RewriteRule    /more-icons/(.*)  /icons/$1
RewriteRule    /go/(.*)          http://www.apacheweek.com/$1

The patch is currently being tested and will be part of the release of Apache 1.3.13. Until then, users should check their configuration files and not use rules that map to a filename such as the first example above.

Apache stuff

If you've been to one of the Apache conferences you'll probably have picked up a selection of Apache-related goodies. If you don't yet have anything with the cool official Apache feather logo why not buy a new T-Shirt, "Apache Software Foundation: Mirrored" from Copyleft. US$4 gets donated to the ASF for every shirt sold too. If you want Apache-related goodies for free`<, why not register for ApacheCon 2000 in Europe next month?

Featured Articles

This week, the articles on the web that we highlight here are of interest especially to new Apache users. The Developer Shed shows beginners how to build your very own dream Apache web server. It gives a very comprehensive account of Apache's background including its birth before proceeding to three different scenarios for building a customized Apache Web Server.

Linux Magazine on the other hand has an article by Craig Knudsen for users new to PHP. It includes the history of PHP from PHP/FI to PHP 4.0, and instructions for building PHP, Apache, and MySQL.

In Feb 1997, (Apacheweek issue 51) we ran an article on how to gather visitor information by customizing your Apache 1.2 log files. Apache Today revisited this subject extensively in its "Apache Guide : Logging with Apache" series for Apache 1.3. In his three previous articles, Rich Bowen touched on the basics of Apache logs by looking at the access log, error log, CustomLog and LogFormat directives. Everyone knows that logs are useless unless the data in them are interpreted and analyzed in a meaningful way so in the fourth article, Rich gets into the crux of the matter - "Log-File Analysis". Although it is not a step-by-step tutorial on how to analyze your logs, it does give you a good idea of the information you can expect from the logs and points you to four log analysis tools (Analog, WebTrends, WWWStat and Wusage) that could help you with this task. Alternatively it suggests that you could use the Apache::ParseLog module if you are a DIY person.

Comments or criticisms? Please email us at editors@apacheweek.com