In this issue
Apache 1.3.24 was released on 22nd March 2002 and is
now the latest version of the Apache server. The previous
release was 1.3.22, released on the 24th January 2002.
what was new in Apache 1.3.23.
Apache 1.3.24 is available in source form for compiling on
Unix or Windows, for download from the main Apache site
or from any mirror
This is a security, bug fix and minor upgrade release, with a few new
features. Users should upgrade if they are running on Windows,
will be affected by the
particular bugs mentioned below, or would like to use any of
the new features.
Due to security issues, any sites using versions prior to
Apache 1.3.22 should upgrade to at least Apache 1.3.22.
about all the security issues that affect Apache 1.3.
Apache for Win32 before 1.3.24 allows remote
attackers to execute arbitrary commands via parameters passed
to batch file CGI scripts. More details in
Apache Week issue 288 or
The problem occurs because the input is not properly validated; it
is possible to append commands as parameters to the batch file CGI
script and have the shell interpreter execute them
The characters % and \r have been added to the dangerous Win32/OS2
characters list, and the command line is now passed to the interpreter
double quoted. In addition Apache now introduces earlier
identification of command.com vs
cmd.exe, and treats command.com as a 16-bit application
As additional protection in case future CGI argument vulnerabilities
are discovered, a new directive CgiCommandArgs off
has been added to allow administrators to completely disable the query
argument passing mechanism in Apache
- A bug was found that could cause invalid hostnames to appear in Apache
log files. If a double-reverse lookup was performed (for example
for Allow from .example.com) but
failed, then a spoofed dns-reverse-address could appear in the logs.
Note this bug doesn't give any access to protected resources, it only
affects what gets written to the log file
The main new features in 1.3.24 (compared to 1.3.23) are:
- Add IgnoreCase keyword to the
IndexOptions directive to allow filename
listings to ignore case
- The proxy code read chunks from the backend server in a
hardcoded amount of 8192 bytes. A new directive
ProxyIOBufferSize has been added to specify the
size of the read buffer from the remote server
- Previously the proxy would wait until the response had been delivered
to the client completely before closing the backend connection. Now the
backend connection is closed as soon as the last byte is read from it,
freeing up resources
mod_alias writes a warning to the error log
if it fixes up a incomplete redirection target (such as turning
/foo into http://host/foo). Since this
is a supported operation the message has been demoted so that
it will only show up at LogLevel Debug
- When using mod_proxy to access FTP sites it was
impossible to reach a higher directory than the logged in directory,
as combinations of /../ are interpreted by the browser and
not sent to the server. This problem affects other proxies as well.
The Squid proxy uses a "Squid %2f hack" which has been adapted to work
By prepending /%2f to the path of your request, you can make
the proxy change the FTP starting directory to / instead
of starting at the home directory for the logged in user
The main new features that apply to specific platforms are:
- Provide new logging to assist Win32 users debug CGI scripts.
When at LogLevel info the
cgi command invoked is logged.
When at LogLevel debug
the environment variables are also logged
- Added a logging module for NetWare, mod_log_nw, as
NetWare is unable to use the RotateLog utility
- Added a -e command line directive for NetWare
to force all fatal configuration file errors to the logger screen.
This allows Apache to shutdown cleanly and completely on an
The following bugs were found in Apache 1.3.23 and have been
fixed in Apache 1.3.24:
- Fix a segfault condition in mod_include which could
be triggered by improper termination of conditional directives such as
- Fix a problem in mod_proxy where the Server
header from the backend system would be replaced by one from Apache. This
violated RFC2616. This fix has introduced a further issue which allows
modules to override the Server header, but this will be fixed in the next
- There is a problem in mod_proxy where each entry of a
duplicated header such as Set-Cookie would overwrite the
previous value of the header, resulting in multiple header
values (like cookies) going missing. A fix was committed to 1.3.24 but
doesn't fix the problem
- Fixes to apxs to allow the -S option to contain quotes, and
to rebuild apxs when options have been changed
- The Location response header, used for external
redirects, must be an absolute URI. The Redirect
directive tested for that, but RedirectMatch did not
and would allow almost anything through
- Fix a longstanding bug that errors returned by src/Configure
would not be noticed by the top level configure script.
That was bad for automated production environments, as errors would
pass through unnoticed
mod_proxy would send a HTTP/1.0 request even though
it is now compliant with HTTP/1.1
- A number of other changes have been made to FTP handling in
mod_proxy including properly escaping file names
from directory listings, a cleanup to the output HTML, the output of
directory listings in ASCII to avoid issues with EBCDIC servers, and the
closing of the data and control channels to the server properly
- Previous fixes to mod_rewrite in Apache 1.3.23 broke the
ability to do random balancing. PR#10090, PR#10185
The following bugs relate to specific platforms:
- The Win32 port has had the remaining cases of blocking network IO
- A change has been made on TPF to make make the ap_open_logs call the
same as other platforms and prevent a possible SIGPIPE in standalone_main
- Work around a bug in Windows XP that caused data
corruption on writes to the network
- The support for enabling pthreads-based accept() serialization
using the AcceptMutex configuration directive
suffered from a serious problem on Solaris platforms as
the pthreads library was not being linked into the
httpd executable. This meant stub versions of the mutex functions
are used from the C library, which resulted in no serialization being enforced
Shortly after the announcement of 1.3.24 more problems with
mod_proxy were found. Whilst the release
announcement stated that handling of multiple Set-Cookie
headers was fixed, it was discovered that this bug was in fact still
present in 1.3.24: a fix had been checked in, but a subsequent change
then reverted the behaviour. Another fix was checked in, which it was
hoped would finally close the issue. Additionally, a serious problem
was unearthed with the new HTTP/1.1 support in the proxy: chunked
responses would be returned to HTTP/1.0 clients, which could give the
effect of corrupted content in a HTTP/1.0 browser.
The Apache 2.0 tree was tagged ready for a 2.0.34 release this
week; the release is currently set to wait for an upcoming change to
the bucket brigades API. A perplexing bug was also fixed in 2.0 where
non-standard HTTP response codes would appear in the error_log. This
was traced to a mis-match between the return values used in the
filters interface and those expected: some filters returned APR status
values, rather than HTTP status codes.
Sun backs down on Java licensing restrictions
The Apache Software Foundation announced
this week that it had reached an agreement with Sun Microsystems over
the right to implement Java Specifications in open source. The
dispute hinged around the JSPA
(Java Specification Participation Agreement), a legal agreement which
must be signed when joining the Java Community Process (JCP). The ASF
headed a lengthy campaign to revise the JSPA, which currently allows
-- and in some cases requires -- several restrictions which have
hindered open-source Java projects.
In this section we highlight some of the articles on the web that are of
interest to Apache users.
"Ads in Cache-Friendly Pages"
explains how you can have cacheable ads while maintaining an accurate
count of the hits by using redirects. First, it talks about entities and
cache control so that you can selectively apply cache headers to every
entity on your Web pages. Then it shows you two methods of
implementing the ads redirection - by configuring Apache's
Redirect directive, and by using a Perl script.
Zend.com provides PHP beginners with a tutorial on
how to encrypt and decrypt information with GnuPG using PHP.
It starts off by demonstrating how to use GnuPG via the command-line,
and then proceeds to use GnuPG within a PHP script.
The first installment of
"Error Handling In PHP"
delves into the types of PHP errors you may encounter, before moving
on to show you how to write some custom error handlers. As usual, the
Developer Shed supplies many sample scripts to illustrate its points.
No matter what platforms or services you are running, the fundamentals
of vulnerability management remain the same. If you are feeling
vulnerable lately, you may be interested to read this
Before you leave us, why not stop by the new
in town, launched by SearchWebManagement.com recently. You may see
us there too!
brought to you by: Gary Benson, Mark J Cox, Joe Orton, Min Min Tsan
Comments or criticisms? Please email us at email@example.com