Apache Week
Issue 264, 28thSeptember2001:

Copyright 2020 Red Hat, Inc

In this issue

Under development

The mod_proxy module was separated from the Apache 2.0 tree in February this year, to allow development of the core server to continue independently of the proxy, and vice versa. Since then, the mod_proxy team has made significant changes to bring the code up to date, and make it use the new Apache 2.0 module interface. Now that development has stabilised, the group decided to bring the module back into the standard distribution so it can gain more testing.

Discussion of the bucket brigades interface in Apache 2.0 was revived this week, with several iterations of a patch from Justin Erenkrantz to improve the API, and rewrite the HTTP filter, which performs the HTTP protocol handling in 2.0.

Bill Stoddard announced his intention to tag for the Apache 1.3.21 release, which spurred the group into checking in some last-minute changes for the Cygwin and Win32 ports, along with some fixes for mod_proxy. It looks likely the release will be made sometime next week.

Security Reports

Two vulnerabilities have recently been found in Apache 1.3.20. These issues have already been fixed in the code base in preparation for the 1.3.21 release.

  • A vulnerability was found in the Win32 port of Apache 1.3.20. A client submitting a very long URI could cause a directory listing to be returned rather than the default index page. A 403 Forbidden will now be returned. The Common Vulnerabilities and Exposures project has assigned the name CAN-2001-0729 to this issue.
  • A vulnerability was found in the split-logfile support program. A request with a specially crafted Host: header could allow any file with a .log extension on the system to be written to. PR#7848. The Common Vulnerabilities and Exposures project has assigned the name CVE-2001-0730 to this issue.

In the news

IIS to Apache migration

Last week (Apache Week #263) we commented on the Gartner recommendation that IIS users switch to something more secure, like Apache. In "Microsoft stands by IIS despite Gartner recommendation", CNN talk to Microsoft and a selection of companies. According to Microsoft:

"IIS is as secure as comparable products from other vendors"
But these statements do very little to reassure companies that have been hit by the recent security flaws. The CTO of one Californian law firm is switching to Apache on Linux:
"the experience of dealing with a previous IIS-related vulnerability and the continuous effort needed to keep it secure aren't worth it".

New look for apache.org

The main site for the Apache Software Foundation got a face-lift today as its new design was made live for the first time. Behind the scenes is an XML backend processed by Anakia, an XML transfomration tool based on the Velocity template engine.

ASF join Project Liberty

The Apache Software Foundation signed up as a charter member of the Liberty Alliance Project this week. The main aim of the project is to create a ubiquitous single sign-on for any internet connected device, an alternative to the Microsoft Passport technology. Apache Software Foundation board member Ben Laurie said his personal goals for the project would include "an open standard, publicly reviewed. The ability to choose who acts as my authentication server. The ability to choose what the server reveals and to whom. And, of course, the best security we can achieve."

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

Moving on from output filters, Ryan Bloom explains about writing input filters in his latest article in the Apache 2.0 series. He highlights three differences between input and output filters, covers the ap_get_brigade function, and walks readers through an example input filter in detail. After reading this, you can start writing your own input filters.

Find out more about mod_perl in the first of a series of updated articles by Stas Bekman. "Why mod_perl?" intends to entice you to give it a try by revealing mod_perl's popularity and presenting a few well-known sites that are powered by it. Now that you're hooked, you'll be glad to know that it only takes 30 minutes to get started with mod_perl and here's how to do it.

Make a trip down memory lane with Rasmus Lerdorf, creator of PHP as he guides us through PHP's origin, usage, syntax, and features in "Scripting the Web with PHP". It provides a good overview on all that PHP has to offer with simple examples that illustrate the concepts clearly. The topics covered are the four different PHP tag styles, ways to install PHP, how PHP handles variables and errors, manipulates strings, connects to relational databases, generates content in formats other than HTML, and manages session. He advises that the best way to learn PHP is to use it.

Nicholas Petreley shares with us two important PHP lessons that he had to learn the hard way while using PHP. His first personal view is that you shouldn't intersperse HTML lines and other displayed text with PHP commands so that your site is easier to maintain. The second lesson is to always specify both arguments for the crypt() function.

"You Can Get There from Here" part 1 and part 2 show you how to install, configure, and use Squirrelmail on your PHP4 enabled Apache web server. For better security, you can run Squirrelmail on a SSL-enabled Apache web server or implement Apache's basic authentication.

This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan