Graham Leggett brought up the topic of how to distribute a
"roll-up" release of Apache 2.0; a release which would include some of
the other modules hosted in separate repositories at apache.org such
as mod_proxy. The method that seemed to be
preferred by most group
members was to to integrate all of these extra modules into a tarball
which is distributed alongside the normal 2.0 release tarball.
The gzip module controversy (covered in the previous issue) was
re-ignited briefly as Hyperspace Communications released their 2.0 port
of mod_gzip, despite previously stating they
would not do so until the
next 2.0 beta. The module received several detailed reviews from the
The prototype SSL filter mod_tls was removed from the
2.0 tree this week since mod_ssl is now fully integrated.
A vote also took place to move the new LDAP module out into a separate
repository, which received unanimous support.
Greg Stein committed a redesign of the mod_dav property
interface to Apache 2.0, making it easier to implement a repository
storage module which is not based on a filesystem.
Mandrake issued a
security advisory after updating their
Apache packages to Apache 1.3.20. Apache 1.3.17 contains a
vulnerability which can cause a listing of the files in a directory to be
displayed instead of the default index page.
SuSE issued a security advisory for their mod_auth_mysql package shipped with
SuSE Linux 7 and above as it was found vulnerable to SQL command
injection as mentioned in Apache Week #261
SecurityFocus discusses a misconfiguration of Apache that allows
remote users to determine if a given username exists on a system. Although
the advisory mentions Red Hat Linux, the default
configuration of Apache 1.3.20 is also affected
Mac OS X users should be aware of a
as the Finder creates files .DS_Store in viewed directories.
Unless Apache is configured to deny access to these files a remote user can
request them and be given a list of files in the directory.
Another worm designed to exploit IIS is affecting an increasing number
of servers this week.
Apache administrators can spot the worm's attempts at breaking in by
groups of around 16 failed requests in a row in server access logs:
126.96.36.199 - - [21/Sep/2001:09:50:53 +0100]
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
404 126 -
Apache is not vulnerable to these attempts, however under certain circumstances
a child may crash due to a bug in mod_include
that affects all versions of Apache.
If a server uses an ErrorDocument for 404 (request not found)
errors which points to a parsed html
file which uses a <!--#include virtual="file" -->
section, then a request containing %2f will result in a segfault. The
segfault is harmless and is not a security problem.
With all the recent publicity concerning IIS security you would have expected
anyone running a critical service on Windows
to have installed the latest patches.
However according to The Register, "Nimda
worm runs riot on IT sites", the recent worm has infected a number of
corporate sites who should know better - including Microsoft themselves.
No wonder then that in a CNET article,
Another worm, more patches", Gartner are recommending that businesses move
from IIS to iPlanet or Apache.
The Jakarta Project
this week announced the release of version 4.0 of Tomcat, shortly
after the Servlet 2.3 and JSP 1.2 specifications were made final.
Tomcat is the open source servlet container that runs within
Apache to implement Java Servlets and JavaServer Pages.
Tomcat 4.0 is
available for download.
The Apache Software Foundation's Conferences Committee
has made a final selection for the new ApacheCon management
company from among the respondents to the Request For Proposals
(RFP) it posted last month. The winning bid was submitted by
Security Travel, Inc, which are well known for their Def Con
and Black Hat Seminars conferences. The ASF and Security
Travel are now engaged in working out a detailed agreement
before planning the next ApacheCon. Apache Week will keep
you informed of the progress, or you can join the
list by sending an empty message to
In this section we highlight some of the articles on the web that are of
interest to Apache users.
O'Reilly ONLamp.com brings you the latest information about "Writing
Apache 2.0 Output Filters"
in Ryan Bloom's column. This article gives enough information
for a developer to be able to write an output filter from scratch.
According to Ryan, the Apache developers have improved the interface
over the past few releases so
that the complex task of writing filters has become easier.
The administrators at evolt.org are
"Using Apache to
stop bad robots". In a short article they show how they capture robots
that not only ignore the robots.txt file, but deliberately
try to index files they are told not to.
Morbus Iff develops a "Search
Engine Friendly SSI Image Gallery" in his article on evolt.org.
The article shows how to create a dynamic image gallery, using only
the features built into a core distribution of Apache.
At LinuxWorld.com, Joshua Drake gives a guide on
to save an Apache log file in a PostgreSQL database". The article gives
a step by step guide to using the pgLOGd program with Apache.