Apache Week
Issue 272, 23rdNovember2001:

Copyright 2020 Red Hat, Inc

In this issue

Under development

Support for Apache 2.0 on IBM's iSeries platform was under discussion this week, after some initial patches for a port were sent in by a contributor. It has been known since August this year that IBM have successfully ported 2.0 to this platform - although little code has been submitted back in this area so far, developers from IBM pledged that they will work on it.

Binary packages are starting to be being made available for the 2.0.28 beta release announced last week, in RPM, Debian and FreeBSD port formats. There was some discussion between the package maintainers on how to choose consistent locations for configuration files.

In other news: a new look for the httpd.apache.org Apache developers' site went live this week; this was implemented using the Anakia XML transformation language. New committer Brian Pane made his first checkins to the 2.0 tree this week, with several more performance optimisations.

Apache Security

Confused about Apache vulnerabilities? It seems the media are, as we've been sent links to several stories over the last month that have directly compared vulnerabilities in Apache to those found in IIS. There is no single place you can get a list of all Apache vulnerabilities, so we have compiled our own. The list shows security vulnerabilities found in Apache 1.3 and is based on notifications and descriptions we've published in earlier issues, cross referenced to the Apache CHANGES file and the CVE dictionary.

The result is a Overview of security vulnerabilities in Apache httpd 1.3

In summary, there have been a number of bugs that let you get access to directory listings of files in your document root, a few bugs that could help denial of service attacks, and a few bugs that could let remote attackers view any file on the server. Fortunately these latter bugs require specific Apache configurations and don't affect default server installations. Contrast the Apache vulnerabilities to those in other servers such as IIS, where remote attackers can gain complete control of a vulnerable machine.

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

"Avoiding security holes when developing an application - Part 6: CGI scripts" explores a few examples of poorly written Perl scripts which are vulnerable to security compromises. Before delving into the code, it gives an overview of how a web server works and explains about server-side includes (SSIs) for Apache. Perl developers are advised to use the "warning" option, "taint mode" option, and to specify "use strict" at the beginning of their Perl scripts.

WebmasterBase.com reprinted "Chapter 15: Accessing PostgreSQL from PHP" of "Beginning Databases with PostgreSQL" (Wrox Press, 2001) by permission. This excerpt covers enabling PostgreSQL support in PHP 4, PHP functions for PostgreSQL, query manipulation, resultsets, error handling, and the PEAR database abstraction interface.

This basic article talks briefly about how to ensure that your Sun Crypto Accelerator Board 1 is working with Apache and mod_ssl. It points out the differences between this card and the Rainbow CS-200 card. Without going into any details about the configuration, it just provides you with an idea of the things to look out for when using this card.

Apache Week giveaway

We started a competition last week to give away ten unique Apache feather metal brooches. It seems that by making the question harder than normal we scared away our entrants, under 140 correct answers so far; so at the moment the odds of winning are better than 14:1! For a chance to get your hands on this unique gift just answer the following question (the news story linked from the question might help).

In the UK series of books the Mr Men, Mr Tickle was known for
A) impossibly long arms used for tickling people,
B) a nose that extends when he tells a lie, or
C) being grumpy

Send your answer (A, B, or C) to tickle@apacheweek.com to reach us no later than 25th November 2001. Your e-mail address will not be used for anything other than to let you know if you won. Ten winners will be drawn at random from all correct entries submitted, we disqualify people who make more than one entry, no cash alternative, void where prohibited, items will be sent from Australia so the recipient may be liable for customs duty or VAT on import, winners will be asked to choose which feather they wish to receive from codes APAg, APAs, APAq, APAx, APSg, APSs, APSq, APSx. Editors' decision is final.

This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan