Apache Week
Issue 281, 1stFebruary2002:

Copyright 2020 Red Hat, Inc

In this issue

Under development

Hot on the heels of last week's new Apache 1.3 release, this week saw the 2.0 CVS tree tagged on Wednesday in preparation for a new release, 2.0.31. Along with the usual collection of bug fixes, this release will include some major improvements to mod_proxy support for proxying to FTP servers, including a new feature which allows retrieving a directory listing using a wildcard pattern, for instance ftp://ftp.server.com/pub/apache/*.tar.gz to list all .tar.gz files in that directory.

Discussion about the Location headers produced by mod_alias.c was subject to discussion; it was discovered that the RedirectMatch directive would allow a redirect response to include a Location header which contained a non-absolute URI. The HTTP specification requires that the URI returned includes an "http://hostname" section; some web browsers may give a warning if they encounter a non-absolute URI.

Security Reports

mod_rewrite canonicalisation

mod_rewrite is a powerful module for Apache used for rewriting URLs on the fly. However with such power comes associated risks; it is easy to make mistakes when configuring mod_rewrite which can turn into security issues.

A few months ago the bugtraq mailing list contained details of how to circumvent one of the access control examples from the mod_rewrite documentation. However the issue is much more widespread than this message suggests and is caused because mod_rewrite does not perform full canonicalisation of the path portion of the URL. Specifically by passing a URI to Apache with more than one slash (such as '//') it is often possible to bypass RewriteCond and RewriteRule directives.

Take for example one of the configurations in the mod_rewrite documentation:

RewriteRule ^/somepath(.*) /otherpath$1 [R]
Requesting http://yourserver/somepath/fred will redirect and return the page http://yourserver/otherpath/fred as expected. However, requesting http://yourserver//somepath/fred will bypass this particular RewriteRule, potentially serving a page that you were not expecting it to. If you use mod_rewrite for access restriction this could have serious consequences.

If you use mod_rewrite on your server take a look through your RewriteRule directives to see if you are vulnerable. You can work around the problem by making sure that rules will capture more than one slash. To fix the example above you could use this replacement:

RewriteRule ^/+somepath(.*) /otherpath$1 [R]

Multiple consecutive slashes are valid in a URI and so it is useful for mod_rewrite to be able to tell the difference between /somepath and //somepath. Because of this it is not yet known how the issue will be fixed, if at all, in future versions of mod_rewrite.

In the news

Updated Apache surveys

It has been over four months since we last reported on new figures from the Netcraft and E-Soft surveys of web sites. Overall there has been little change from month to month. Netcraft find that Apache and servers based on Apache have around 58% market share, and E-Soft report nearly 65%. In the secure server space, E-Soft find Apache and Stronghold together have just over 60% market share.

The February 2002 Netcraft report discusses the new top level domains, as well as highlighting a round of funding for Apache-related product provider, Covalent.

The E-Soft report report goes into a lot of interesting detail, showing information such as the versions of servers being used and most popular modules. We found this graph particularly interesting, showing the increase in usage of DAV over time.

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

True to his promise, Kevin Hemenway is back by popular demand with "Apache Web-Serving with Mac OS X, Part 4", an extension to his original trilogy. He shows us how to turn off automatic index generation, customise error pages, and configure access control and authentication. For fans of the late Douglas Adams, he even throws in a riddle about the "Hitchhiker Guide" at the end of his article. Carry on Kevin!

"Managing Logging with Numerous Virtual Hosts in Apache" applies a reverse approach to solve the problems of having too many log files. It proposes that all virtual hosts log their transactions into a single log which is then split into the respective virtual host log files using split-logfile perl script and a shell script. The only downside is that the logs for each virtual host can only be analysed periodically after the main log has been processed.

PHPBuilder exposes the secret of getting PHP to work with ORACLE 8i with mod_php built as a dynamic Apache module. Meanwhile Zend provides more food for the security table with "Secure Programming in PHP". A must-read for PHP developers keen on improving the security of their existing PHP applications and brushing up their programming techniques.

This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan