Apache Week
   
   Issue 263, 21st September 2001:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Under development

Graham Leggett brought up the topic of how to distribute a "roll-up" release of Apache 2.0; a release which would include some of the other modules hosted in separate repositories at apache.org such as mod_proxy. The method that seemed to be preferred by most group members was to to integrate all of these extra modules into a tarball which is distributed alongside the normal 2.0 release tarball.

The gzip module controversy (covered in the previous issue) was re-ignited briefly as Hyperspace Communications released their 2.0 port of mod_gzip, despite previously stating they would not do so until the next 2.0 beta. The module received several detailed reviews from the list.

The prototype SSL filter mod_tls was removed from the 2.0 tree this week since mod_ssl is now fully integrated. A vote also took place to move the new LDAP module out into a separate repository, which received unanimous support.

Greg Stein committed a redesign of the mod_dav property database interface to Apache 2.0, making it easier to implement a repository storage module which is not based on a filesystem.


Security Reports

Mandrake issued a security advisory after updating their Apache packages to Apache 1.3.20. Apache 1.3.17 contains a vulnerability which can cause a listing of the files in a directory to be displayed instead of the default index page.

SuSE issued a security advisory for their mod_auth_mysql package shipped with SuSE Linux 7 and above as it was found vulnerable to SQL command injection as mentioned in Apache Week #261

SecurityFocus discusses a misconfiguration of Apache that allows remote users to determine if a given username exists on a system. Although the advisory mentions Red Hat Linux, the default configuration of Apache 1.3.20 is also affected

Mac OS X users should be aware of a potential problem as the Finder creates files .DS_Store in viewed directories. Unless Apache is configured to deny access to these files a remote user can request them and be given a list of files in the directory.


In the news

IIS exploits trigger Apache bug

Another worm designed to exploit IIS is affecting an increasing number of servers this week. Apache administrators can spot the worm's attempts at breaking in by groups of around 16 failed requests in a row in server access logs:

195.92.24.111 - - [21/Sep/2001:09:50:53 +0100] 
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 
404 126 -
Apache is not vulnerable to these attempts, however under certain circumstances a child may crash due to a bug in mod_include that affects all versions of Apache. If a server uses an ErrorDocument for 404 (request not found) errors which points to a parsed html file which uses a <!--#include virtual="file" --> section, then a request containing %2f will result in a segfault. The segfault is harmless and is not a security problem.

With all the recent publicity concerning IIS security you would have expected anyone running a critical service on Windows to have installed the latest patches. However according to The Register, "Nimda worm runs riot on IT sites", the recent worm has infected a number of corporate sites who should know better - including Microsoft themselves. No wonder then that in a CNET article, "Commentary: Another worm, more patches", Gartner are recommending that businesses move from IIS to iPlanet or Apache.

Tomcat 4.0 released

The Jakarta Project this week announced the release of version 4.0 of Tomcat, shortly after the Servlet 2.3 and JSP 1.2 specifications were made final. Tomcat is the open source servlet container that runs within Apache to implement Java Servlets and JavaServer Pages. Tomcat 4.0 is available for download.


Conferences

The Apache Software Foundation's Conferences Committee has made a final selection for the new ApacheCon management company from among the respondents to the Request For Proposals (RFP) it posted last month. The winning bid was submitted by Security Travel, Inc, which are well known for their Def Con and Black Hat Seminars conferences. The ASF and Security Travel are now engaged in working out a detailed agreement before planning the next ApacheCon. Apache Week will keep you informed of the progress, or you can join the announcement list by sending an empty message to announce-subscribe@ApacheCon.Com


Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

O'Reilly ONLamp.com brings you the latest information about "Writing Apache 2.0 Output Filters" in Ryan Bloom's column. This article gives enough information for a developer to be able to write an output filter from scratch. According to Ryan, the Apache developers have improved the interface over the past few releases so that the complex task of writing filters has become easier.

The administrators at evolt.org are "Using Apache to stop bad robots". In a short article they show how they capture robots that not only ignore the robots.txt file, but deliberately try to index files they are told not to.

Morbus Iff develops a "Search Engine Friendly SSI Image Gallery" in his article on evolt.org. The article shows how to create a dynamic image gallery, using only the features built into a core distribution of Apache.

At LinuxWorld.com, Joshua Drake gives a guide on "How to save an Apache log file in a PostgreSQL database". The article gives a step by step guide to using the pgLOGd program with Apache.


This issue brought to you by: Ken Coar, Mark J Cox, Joe Orton
Comments or criticisms? Please email us at editors@apacheweek.com