In this issue
In Apache Week (issue 216) we
highlighted a security problem in the Rewrite module,
mod_rewrite. We gave three examples of
RewriteRules and stated that only the first was vulnerable:
RewriteRule /test/(.*) /usr/local/data/test-stuff/$1
RewriteRule /more-icons/(.*) /icons/$1
RewriteRule /go/(.*) http://www.apacheweek.com/$1
This was incorrect, as both the first and second examples are
vulnerable. The security problem has been fixed in Apache
Apache 1.3.14 was released on 13th October 2000
and is now the latest version of the Apache server. The
previous release was 1.3.12, released on the 25th February
what was new in Apache 1.3.12. Apache 1.3.13 was never
Apache 1.3.14 is available in source form for compiling on
Unix or Windows, for download from the main Apache site or
shortly from any mirror download
site. Binary packages for some platforms are also
This is a bug fix and minor upgrade release, with a few new
features. Users should upgrade if they have noticed
particular bugs mentioned below or would like to use any of
the new features.
Due to security issues any sites making use of the mass
virtual hosting module mod_vhost_alias or
mod_rewrite should upgrade to Apache 1.3.14.
A security problem exists in the Rewrite module. Apache is
only vulnerable if you use mod_rewrite and specific cases
of the RewriteRule directive. If the
destination of a RewriteRule contains regular expression
references then an attacker may be able to access any file
on the web server.
A security problem exists in the handling of Host: headers
in mass virtual hosting configurations. Under certain
circumstances an attacker may be able to access any file on
the web server
A security problem for users of the mass virtual hosting
module, mod_vhost_alias, causes the source to
a CGI to be sent if the cgi-bin directory is
under the document root
The main new features in 1.3.14 (compared to 1.3.12) are:
The new features that apply only to Windows platforms are:
Support a directory-based configuration system. If any of
the configuration directives point to directories instead
of files, all files in that directory (and in
subdirectories) will be also parsed as configuration files.
Support name-based virtual hosting without needing to
specify an IP address in the Apache configuration file.
This enables sites that use dynamic IP address to support
name-based virtual hosting as well as allowing identical
machines to share a configuration file, say in a
load-balanced cluster. PR#5595,
An update to the bundled dbmmanage program to
add back group support, and overhaul the other commands to
add a comment argument
The SetEnvIf and BrowserMatch
range of directives can now be used in
The media types have been added to the default
mime.types file including filename extensions
for the WAP types.
An addition to the htpasswd tool allows
passwords to be generated and output to standard output
rather than a password file allowing the tool to be used to
generate passwords for inclusion into other types of
Administrators who are nervous about their full server
version details being public will be able to use the new
keyword 'ProductOnly' in the
ServerTokens directive. When used, Apache will
only return the string "Apache" as the server version.
Sites such as the Netcraft in England make it easy for
anyone to examine
what server sites are running.
The new digest authentication module,
mod_auth_digest has had a number of fixes and
upgrades applied. These include the ability to compile
using a C++ compiler, and alterations to the nonce to
potentially allow the sharing of authentication realms
A number of code cleanups have been made to Apache. The
cleanups were originally contributed as part of the patches from SGI to
speed up Apache. Although the performance parts are not
going to become part of Apache 1.3, the minor fixes have
Other platform-specific changes are:
Bundle the DBM package sdbm with Apache. sdbm is used by
default by mod_auth_dbm in the core Win32
distribution. sdbm support may be compiled into Apache on
other platforms in the future.
The Windows project files have been converted to work with
Microsoft Visual C 6.0. Scripts have been provided to allow
developers who only have access to MSVC 5.0 to use the new
files as they are not backward compatible.
Preparations for allowing Apache to be built using the free
bcc 5.5 compiler from Borland.
Windows 95 and 98 can now benefit from an emulation of NT
services, including install and uninstall options. The
Apache server therefore can start when the OS loads and
will not stop if the current user logs off. A handler for
Win32 Ctrl+C, Ctrl+Break, Close, Logoff, and Shutdown has
A comprehensive review of the Windows documentation has
been committed which should reduce the number of support
enquiries and problem reports.
Numerous additions and fixes to the Windows service code
including cleaning up and testing the existing code,
allowing graceful restarts to a service, and the prevention
of starting multiple copies of a Windows 9x service with
the same name.
Hold open the console until manually closed in Windows if
the server fails to run, allowing any error message to be
Changes to the Windows build process to eliminate duplicate
references for exported libraries and remove libraries
included by Microsoft Visual C by default that are not
Support for the new FreeBSD accept filters feature. This
feature postpones the requirement for a child process to
handle a new connection until a HTTP request has arrived,
therefore increasing the number of connections that a given
number of child processes can handle
A number of alterations for the MPE platform including
fixing error reporting, updating the DSO code to be
compatible with a recent OS patch, refining user and group
management, and initial support for the proxy module
The default serialised accept has been changed for AIX 4.3
to provide a substantial performance improvement on
multiple CPU machines serving large numbers of concurrent
DSO support added for BS2000 and OS/390 USS platforms
A directory layout for Solaris 8 has been added to the
The proxy module mod_proxy has been patched so
that it can be built on BeOS 4.5.2
Updated configuration script to allow building on IBM's
IA-64 version of AIX
The following bugs were found in Apache 1.3.12 and have been
fixed in Apache 1.3.14
Bugs now fixed that only affected the Windows platform include:
The AddDefaultCharset directive was being
incorrectly merged. PR#5827
The Remove* MIME directives were being
incorrectly merged. PR#5597
The expiry module, mod_expires would not
correctly merge its Cache-Control header. PR#5769
The proxy module, mod_proxy had a garbage
collection problem. PR#1891,
Apache ignores the case of a filename on platforms that
have case-insensitive file systems (such as Windows and
OS/2), however this causes problems for Java class files
published by WebDAV for example.
ApacheBench sends an authorisation header of "basic"
although the standard, RFC 2617, always refers to the
header as being "Basic". This causes problems with older
versions of PHP
Various problems with the digest authentication module,
mod_auth_digest. The fixes include: reworked
handling of the MD5 password hashing, ability for
independant servers to share the same realm, and fixes in
handling the Authorization header.
Compiling on OS/2 produces a few warning messages.
The benchmarking utility, ApacheBench (ab), would fail to
The return value in an APXS error message was incorrectly
The platform name used as part of the server version string
would incorrectly return "Unix" for BeOS machines.
Some versions of sed have a restriction
causing problems with APACI where
"1,/<pattern>/" commands start searching
for <pattern> at the 2nd line.
DSO loads fail with "permission denied" errors on AIX 4.1.5
due to changes made to support AIX 4.2
Chunked encoding is broken on EBCDIC platforms due to the
recent changes in global handling of CRLF
The ServerTokens directive treats invalid
keywords as equivalent to 'Full'
The handling of '/' characters in URL parsing of directory
blocks is inconsistent. Using directives such as
<Directory /> should match the root
directory of any drive for example
mod_isapi has a number of problems. The fixes
make ISAPI support for Apache more complete, but there are
still some discrepancies.
Win32 has a bug in network read select() that is noticed
specifically when using SSL enabled Apache and Server Gated
Cryptography certificates. Sometimes the SSL handshake does
not complete and the user sees a network error message.
The bundled dbmmanage script did not work correctly when
files contained groups. The seed calculation was incorrect
on windows platforms. PR#3810,
When Apache is run on Windows NT and 2000 messages sent to
stderr before Apache opens its own log files will be sent
to the Application Event Log
Ctrl+C is not treated as an interrupt on Windows 2000
On Windows, only the local host name discovered by the IP
stack is treated as an 'undotted' private name. This causes
problems if no domain name can be identified.
A security hole on NT allows a user to view the listing of
a directory instead of the default HTML page by sending a
carefully constructed request.
The default ServerName on Windows platforms caused
The Windows and Unix default httpd.conf files have drifted
out of sync with each other
The proxy module, mod_proxy can not be
dynamically loaded on Windows 95.
Problems when handling service names that include spaces on
Windows NT platforms.
Apache did not change to the correct directory when
starting as a service on Windows, causing problems with
modules that loaded third-party DLLs (such as
Proxying of HTTPS requests fail under Windows. PR#2014,
The proxy garbage collection routine on Windows NT fails to
open directories, causing many error messages to be logged.
Apache on Windows was making assumptions about the default
shell (cmd.exe for NT,
command.com for others). Instead it should use
the COMSPEC environment variable.