Apache Week
Issue 288, 22ndMarch2002:

Copyright 2020 Red Hat, Inc

In this issue

Security Reports

Win32 remote command execution

Yesterday, Sanctum inc. released a security advisory about a vulnerability in Apache for Win32 platforms. They found that remote commands can be executed during the processing of batch files.

Although they class this as a high risk, it should be noted that the vulnerability only affects the default installation of Apache 2.0 alpha and beta releases because they ship with an example batch file. Exploitation of this vulnerability on Apache 1.3 for Win32 requires that the administrator has set up '.bat' or '.cmd' batch file scripts.

The problem occurs because the input is not properly validated. It is possible to append commands as parameters to the batch file CGI script and have the shell interpreter execute them.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2002-0061 to this issue.

This issue does not affect Unix versions of Apache. This issue is fixed in Apache 1.3.24 and Apache 2.0.34. As a work-around users of Apache on Win32 should disable any batch file CGI scripts.

SGI warns of Apache vulnerabilities on IRIX

ZDNet News reports that SGI are warning of Apache-IRIX vulnerabilities. However none of these vulnerabilities are new or in fact particularly serious, they are simply the problems that were found in Apache 1.3.22 which is the version of Apache currently shipped with IRIX 6.5. Find out more about the security issues in Apache httpd 1.3.22.

Under development

A new Apache 1.3 release, 1.3.24, was made ready for testing this week. Along with the security fix for Win32 users covered above, the 1.3.24 release has many fixes to the new mod_proxy code introduced in 1.3.23, and the usual set of minor bug and portability fixes. The release is due to be made public on Saturday, after testing is complete.

Apache 2.0's behaviour when restarting and shutting down was under discussion again this week, after problems were found in several different places: daemon processes created by mod_cgid could be left running after a restart, and connections could be dropped in graceful restarts and shutdowns. A "graceful shutdown" occurs on certain fatal error conditions which can be handled without dropping existing client connections. Fixes were checked in by Jeff Trawick.

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

"User Authentication With Apache And PHP" shows you how to implement basic access control by using built-in Apache authentication. After looking at various situations where it is preferable to write your own code, it then demonstrates how to use PHP with its built-in session management support to write your own custom code to authenticate users, maintain session information, handle login/logout operations, and validate users against information stored in a MySQL database.

In "Generating Web content with Cocoon" Michael Classen first compares the new version of Cocoon with its predecessor. He then explains that the pipeline is the main concept in Cocoon as Cocoon generates content on the Web by piping XML through a configurable set of tools, and proceeds to briefly illustrate how this is easily done.

We sign off this section with a light personal account from Ken Coar about NordU2002 in Helsinki, Finland. He has a good tip for wireless world travellers.

This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan