Apache Week
Issue 218, 13thOctober2000:

Copyright 2020 Red Hat, Inc

In this issue

Update: Security vulnerability in mod_rewrite

In Apache Week (issue 216) we highlighted a security problem in the Rewrite module, mod_rewrite. We gave three examples of RewriteRules and stated that only the first was vulnerable:

RewriteRule    /test/(.*)        /usr/local/data/test-stuff/$1
RewriteRule    /more-icons/(.*)  /icons/$1
RewriteRule    /go/(.*)          http://www.apacheweek.com/$1

This was incorrect, as both the first and second examples are vulnerable. The security problem has been fixed in Apache 1.3.14

Apache 1.3.14 Released

Apache 1.3.14 was released on 13th October 2000 and is now the latest version of the Apache server. The previous release was 1.3.12, released on the 25th February 2000. See what was new in Apache 1.3.12. Apache 1.3.13 was never released.

Apache 1.3.14 is available in source form for compiling on Unix or Windows, for download from the main Apache site or shortly from any mirror download site. Binary packages for some platforms are also available.

This is a bug fix and minor upgrade release, with a few new features. Users should upgrade if they have noticed particular bugs mentioned below or would like to use any of the new features.

Due to security issues any sites making use of the mass virtual hosting module mod_vhost_alias or mod_rewrite should upgrade to Apache 1.3.14.

Security vulnerabilities

  • A security problem exists in the Rewrite module. Apache is only vulnerable if you use mod_rewrite and specific cases of the RewriteRule directive. If the destination of a RewriteRule contains regular expression references then an attacker may be able to access any file on the web server.
  • A security problem exists in the handling of Host: headers in mass virtual hosting configurations. Under certain circumstances an attacker may be able to access any file on the web server
  • A security problem for users of the mass virtual hosting module, mod_vhost_alias, causes the source to a CGI to be sent if the cgi-bin directory is under the document root

New features

The main new features in 1.3.14 (compared to 1.3.12) are:

  • Support a directory-based configuration system. If any of the configuration directives point to directories instead of files, all files in that directory (and in subdirectories) will be also parsed as configuration files. PR#6397
  • Support name-based virtual hosting without needing to specify an IP address in the Apache configuration file. This enables sites that use dynamic IP address to support name-based virtual hosting as well as allowing identical machines to share a configuration file, say in a load-balanced cluster. PR#5595, PR#4455
  • An update to the bundled dbmmanage program to add back group support, and overhaul the other commands to add a comment argument
  • The SetEnvIf and BrowserMatch range of directives can now be used in .htaccess files.
  • The media types have been added to the default mime.types file including filename extensions for the WAP types.
  • An addition to the htpasswd tool allows passwords to be generated and output to standard output rather than a password file allowing the tool to be used to generate passwords for inclusion into other types of databases.
  • Administrators who are nervous about their full server version details being public will be able to use the new keyword 'ProductOnly' in the ServerTokens directive. When used, Apache will only return the string "Apache" as the server version. Sites such as the Netcraft in England make it easy for anyone to examine what server sites are running.
  • The new digest authentication module, mod_auth_digest has had a number of fixes and upgrades applied. These include the ability to compile using a C++ compiler, and alterations to the nonce to potentially allow the sharing of authentication realms across machines.
  • A number of code cleanups have been made to Apache. The cleanups were originally contributed as part of the patches from SGI to speed up Apache. Although the performance parts are not going to become part of Apache 1.3, the minor fixes have been applied.
The new features that apply only to Windows platforms are:
  • Bundle the DBM package sdbm with Apache. sdbm is used by default by mod_auth_dbm in the core Win32 distribution. sdbm support may be compiled into Apache on other platforms in the future.
  • The Windows project files have been converted to work with Microsoft Visual C 6.0. Scripts have been provided to allow developers who only have access to MSVC 5.0 to use the new files as they are not backward compatible.
  • Preparations for allowing Apache to be built using the free bcc 5.5 compiler from Borland.
  • Windows 95 and 98 can now benefit from an emulation of NT services, including install and uninstall options. The Apache server therefore can start when the OS loads and will not stop if the current user logs off. A handler for Win32 Ctrl+C, Ctrl+Break, Close, Logoff, and Shutdown has been added.
  • A comprehensive review of the Windows documentation has been committed which should reduce the number of support enquiries and problem reports.
  • Numerous additions and fixes to the Windows service code including cleaning up and testing the existing code, allowing graceful restarts to a service, and the prevention of starting multiple copies of a Windows 9x service with the same name.
  • Hold open the console until manually closed in Windows if the server fails to run, allowing any error message to be read
  • Changes to the Windows build process to eliminate duplicate references for exported libraries and remove libraries included by Microsoft Visual C by default that are not required.
Other platform-specific changes are:
  • Support for the new FreeBSD accept filters feature. This feature postpones the requirement for a child process to handle a new connection until a HTTP request has arrived, therefore increasing the number of connections that a given number of child processes can handle
  • A number of alterations for the MPE platform including fixing error reporting, updating the DSO code to be compatible with a recent OS patch, refining user and group management, and initial support for the proxy module
  • The default serialised accept has been changed for AIX 4.3 to provide a substantial performance improvement on multiple CPU machines serving large numbers of concurrent clients.
  • DSO support added for BS2000 and OS/390 USS platforms
  • A directory layout for Solaris 8 has been added to the configuration system
  • The proxy module mod_proxy has been patched so that it can be built on BeOS 4.5.2
  • Updated configuration script to allow building on IBM's IA-64 version of AIX

Bugs fixed

The following bugs were found in Apache 1.3.12 and have been fixed in Apache 1.3.14

  • The AddDefaultCharset directive was being incorrectly merged. PR#5827
  • The Remove* MIME directives were being incorrectly merged. PR#5597
  • The expiry module, mod_expires would not correctly merge its Cache-Control header. PR#5769
  • The proxy module, mod_proxy had a garbage collection problem. PR#1891, PR#3278, PR#4139, PR#5997
  • Apache ignores the case of a filename on platforms that have case-insensitive file systems (such as Windows and OS/2), however this causes problems for Java class files published by WebDAV for example.
  • ApacheBench sends an authorisation header of "basic" although the standard, RFC 2617, always refers to the header as being "Basic". This causes problems with older versions of PHP
  • Various problems with the digest authentication module, mod_auth_digest. The fixes include: reworked handling of the MD5 password hashing, ability for independant servers to share the same realm, and fixes in handling the Authorization header.
  • Compiling on OS/2 produces a few warning messages.
  • The benchmarking utility, ApacheBench (ab), would fail to compile stand-alone.
  • The return value in an APXS error message was incorrectly calculated.
  • The platform name used as part of the server version string would incorrectly return "Unix" for BeOS machines.
  • Some versions of sed have a restriction causing problems with APACI where "1,/<pattern>/" commands start searching for <pattern> at the 2nd line.
  • DSO loads fail with "permission denied" errors on AIX 4.1.5 due to changes made to support AIX 4.2
  • Chunked encoding is broken on EBCDIC platforms due to the recent changes in global handling of CRLF
  • The ServerTokens directive treats invalid keywords as equivalent to 'Full'
Bugs now fixed that only affected the Windows platform include:
  • The handling of '/' characters in URL parsing of directory blocks is inconsistent. Using directives such as <Directory /> should match the root directory of any drive for example
  • mod_isapi has a number of problems. The fixes make ISAPI support for Apache more complete, but there are still some discrepancies.
  • Win32 has a bug in network read select() that is noticed specifically when using SSL enabled Apache and Server Gated Cryptography certificates. Sometimes the SSL handshake does not complete and the user sees a network error message.
  • The bundled dbmmanage script did not work correctly when files contained groups. The seed calculation was incorrect on windows platforms. PR#3810, PR#5527
  • When Apache is run on Windows NT and 2000 messages sent to stderr before Apache opens its own log files will be sent to the Application Event Log
  • Ctrl+C is not treated as an interrupt on Windows 2000
  • On Windows, only the local host name discovered by the IP stack is treated as an 'undotted' private name. This causes problems if no domain name can be identified.
  • A security hole on NT allows a user to view the listing of a directory instead of the default HTML page by sending a carefully constructed request.
  • The default ServerName on Windows platforms caused confusion. PR#5509, PR#5783, PR#5953, PR#5903, PR#5983, PR#5259, PR#5515, PR#5858
  • The Windows and Unix default httpd.conf files have drifted out of sync with each other
  • The proxy module, mod_proxy can not be dynamically loaded on Windows 95.
  • Problems when handling service names that include spaces on Windows NT platforms.
  • Apache did not change to the correct directory when starting as a service on Windows, causing problems with modules that loaded third-party DLLs (such as mod_dav)
  • Proxying of HTTPS requests fail under Windows. PR#2014, PR#4680, PR#5107, PR#5823
  • The proxy garbage collection routine on Windows NT fails to open directories, causing many error messages to be logged. PR#3640
  • Apache on Windows was making assumptions about the default shell (cmd.exe for NT, command.com for others). Instead it should use the COMSPEC environment variable.