Hot on the heels of last week's new Apache 1.3 release, this week
saw the 2.0 CVS tree tagged on Wednesday in preparation for a new
release, 2.0.31. Along with the usual collection of bug fixes, this
release will include some major improvements to
mod_proxy support for proxying to FTP servers,
including a new feature which allows retrieving a directory listing
using a wildcard pattern, for instance
ftp://ftp.server.com/pub/apache/*.tar.gz to list all
.tar.gz files in that directory.
Discussion about the Location headers produced by
mod_alias.c was subject to discussion; it was
discovered that the RedirectMatch directive would allow a
redirect response to include a Location header which contained a
non-absolute URI. The HTTP specification requires that the URI
returned includes an "http://hostname" section; some web
browsers may give a warning if they encounter a non-absolute URI.
mod_rewrite is a powerful module for Apache
used for rewriting URLs on the fly. However with such power
comes associated risks; it is easy to make mistakes
when configuring mod_rewrite which can turn into security
A few months ago the
mailing list contained details of how to circumvent one of the
access control examples from the mod_rewrite
documentation. However the issue is much more widespread
than this message suggests
and is caused because mod_rewrite does not
perform full canonicalisation of the path portion of the URL. Specifically
by passing a URI to Apache with more than one slash
(such as '//') it is
often possible to bypass RewriteCond and
Take for example one of the configurations in the mod_rewrite documentation:
Requesting http://yourserver/somepath/fred will redirect
and return the page http://yourserver/otherpath/fred as
expected. However, requesting http://yourserver//somepath/fred
will bypass this particular RewriteRule,
potentially serving a page that you were not expecting it to.
If you use mod_rewrite
for access restriction this could have serious consequences.
RewriteRule ^/somepath(.*) /otherpath$1 [R]
If you use mod_rewrite on your server take a look through
your RewriteRule directives to see if you are
vulnerable. You can work around the problem by making sure that
rules will capture more than one slash. To fix the example above you
could use this replacement:
RewriteRule ^/+somepath(.*) /otherpath$1 [R]
Multiple consecutive slashes are valid in a URI and so it is useful
for mod_rewrite to be able to tell the difference between
/somepath and //somepath. Because of this
it is not yet known how the issue will be fixed, if at all, in future
versions of mod_rewrite.
It has been over four months since we last reported on new
figures from the Netcraft
surveys of web sites. Overall there has been little change from
month to month.
Netcraft find that Apache and servers
based on Apache have around 58% market share, and E-Soft
report nearly 65%. In the secure server space, E-Soft find
Apache and Stronghold together have just over 60% market share.
The February 2002 Netcraft
report discusses the new top level domains, as well as highlighting
a round of funding for Apache-related product provider,
The E-Soft report
report goes into a lot of interesting detail, showing
information such as the versions of servers being used and most
We found this graph particularly interesting,
showing the increase in
usage of DAV over
In this section we highlight some of the articles on the web that are of
interest to Apache users.
True to his promise, Kevin Hemenway is back by popular demand with
"Apache Web-Serving with Mac OS X, Part 4",
an extension to his original trilogy. He shows us how to turn off
automatic index generation, customise error pages, and configure
access control and authentication. For fans of the late Douglas Adams,
he even throws in a riddle about the "Hitchhiker Guide" at the end of
his article. Carry on Kevin!
"Managing Logging with Numerous Virtual Hosts in Apache"
applies a reverse approach to solve the problems of having too many
log files. It proposes that all virtual hosts log their transactions into
a single log which is then split into the respective virtual host
log files using split-logfile perl script and a shell script. The only
downside is that the logs for each virtual host can only be analysed
periodically after the main log has been processed.
PHPBuilder exposes the secret of
getting PHP to work with ORACLE 8i
with mod_php built as a dynamic Apache module.
Meanwhile Zend provides more food for the security table with
"Secure Programming in PHP".
A must-read for PHP developers keen on improving the security of
their existing PHP applications and brushing up their programming