Apache Week
Issue 289, 29thMarch2002:

Copyright 2020 Red Hat, Inc

In this issue

Apache 1.3.24 Released

Apache 1.3.24 was released on 22nd March 2002 and is now the latest version of the Apache server. The previous release was 1.3.22, released on the 24th January 2002. See what was new in Apache 1.3.23.

Apache 1.3.24 is available in source form for compiling on Unix or Windows, for download from the main Apache site or from any mirror download site.

This is a security, bug fix and minor upgrade release, with a few new features. Users should upgrade if they are running on Windows, will be affected by the particular bugs mentioned below, or would like to use any of the new features.

Due to security issues, any sites using versions prior to Apache 1.3.22 should upgrade to at least Apache 1.3.22. Read more about all the security issues that affect Apache 1.3.

Security issues

  • Apache for Win32 before 1.3.24 allows remote attackers to execute arbitrary commands via parameters passed to batch file CGI scripts. More details in Apache Week issue 288 or CVE-2002-0061

    The problem occurs because the input is not properly validated; it is possible to append commands as parameters to the batch file CGI script and have the shell interpreter execute them

    The characters % and \r have been added to the dangerous Win32/OS2 characters list, and the command line is now passed to the interpreter double quoted. In addition Apache now introduces earlier identification of command.com vs cmd.exe, and treats command.com as a 16-bit application

    As additional protection in case future CGI argument vulnerabilities are discovered, a new directive CgiCommandArgs off has been added to allow administrators to completely disable the query argument passing mechanism in Apache

  • A bug was found that could cause invalid hostnames to appear in Apache log files. If a double-reverse lookup was performed (for example for Allow from .example.com) but failed, then a spoofed dns-reverse-address could appear in the logs. Note this bug doesn't give any access to protected resources, it only affects what gets written to the log file

New features

The main new features in 1.3.24 (compared to 1.3.23) are:

  • Add IgnoreCase keyword to the IndexOptions directive to allow filename listings to ignore case
  • The proxy code read chunks from the backend server in a hardcoded amount of 8192 bytes. A new directive ProxyIOBufferSize has been added to specify the size of the read buffer from the remote server
  • Previously the proxy would wait until the response had been delivered to the client completely before closing the backend connection. Now the backend connection is closed as soon as the last byte is read from it, freeing up resources
  • mod_alias writes a warning to the error log if it fixes up a incomplete redirection target (such as turning /foo into http://host/foo). Since this is a supported operation the message has been demoted so that it will only show up at LogLevel Debug
  • When using mod_proxy to access FTP sites it was impossible to reach a higher directory than the logged in directory, as combinations of /../ are interpreted by the browser and not sent to the server. This problem affects other proxies as well. The Squid proxy uses a "Squid %2f hack" which has been adapted to work in Apache. By prepending /%2f to the path of your request, you can make the proxy change the FTP starting directory to / instead of starting at the home directory for the logged in user

The main new features that apply to specific platforms are:

  • Provide new logging to assist Win32 users debug CGI scripts. When at LogLevel info the cgi command invoked is logged. When at LogLevel debug the environment variables are also logged
  • Added a logging module for NetWare, mod_log_nw, as NetWare is unable to use the RotateLog utility
  • Added a -e command line directive for NetWare to force all fatal configuration file errors to the logger screen. This allows Apache to shutdown cleanly and completely on an error condition

Bugs fixed

The following bugs were found in Apache 1.3.23 and have been fixed in Apache 1.3.24:

  • Fix a segfault condition in mod_include which could be triggered by improper termination of conditional directives such as #if
  • Fix a problem in mod_proxy where the Server header from the backend system would be replaced by one from Apache. This violated RFC2616. This fix has introduced a further issue which allows modules to override the Server header, but this will be fixed in the next release
  • There is a problem in mod_proxy where each entry of a duplicated header such as Set-Cookie would overwrite the previous value of the header, resulting in multiple header values (like cookies) going missing. A fix was committed to 1.3.24 but doesn't fix the problem
  • Fixes to apxs to allow the -S option to contain quotes, and to rebuild apxs when options have been changed
  • The Location response header, used for external redirects, must be an absolute URI. The Redirect directive tested for that, but RedirectMatch did not and would allow almost anything through
  • Fix a longstanding bug that errors returned by src/Configure would not be noticed by the top level configure script. That was bad for automated production environments, as errors would pass through unnoticed
  • mod_proxy would send a HTTP/1.0 request even though it is now compliant with HTTP/1.1
  • A number of other changes have been made to FTP handling in mod_proxy including properly escaping file names from directory listings, a cleanup to the output HTML, the output of directory listings in ASCII to avoid issues with EBCDIC servers, and the closing of the data and control channels to the server properly
  • Previous fixes to mod_rewrite in Apache 1.3.23 broke the ability to do random balancing. PR#10090, PR#10185

The following bugs relate to specific platforms:

  • The Win32 port has had the remaining cases of blocking network IO eliminated
  • A change has been made on TPF to make make the ap_open_logs call the same as other platforms and prevent a possible SIGPIPE in standalone_main
  • Work around a bug in Windows XP that caused data corruption on writes to the network
  • The support for enabling pthreads-based accept() serialization using the AcceptMutex configuration directive suffered from a serious problem on Solaris platforms as the pthreads library was not being linked into the httpd executable. This meant stub versions of the mutex functions are used from the C library, which resulted in no serialization being enforced

Under development

Shortly after the announcement of 1.3.24 more problems with mod_proxy were found. Whilst the release announcement stated that handling of multiple Set-Cookie headers was fixed, it was discovered that this bug was in fact still present in 1.3.24: a fix had been checked in, but a subsequent change then reverted the behaviour. Another fix was checked in, which it was hoped would finally close the issue. Additionally, a serious problem was unearthed with the new HTTP/1.1 support in the proxy: chunked responses would be returned to HTTP/1.0 clients, which could give the effect of corrupted content in a HTTP/1.0 browser.

The Apache 2.0 tree was tagged ready for a 2.0.34 release this week; the release is currently set to wait for an upcoming change to the bucket brigades API. A perplexing bug was also fixed in 2.0 where non-standard HTTP response codes would appear in the error_log. This was traced to a mis-match between the return values used in the filters interface and those expected: some filters returned APR status values, rather than HTTP status codes.

In the news

Sun backs down on Java licensing restrictions

The Apache Software Foundation announced this week that it had reached an agreement with Sun Microsystems over the right to implement Java Specifications in open source. The dispute hinged around the JSPA (Java Specification Participation Agreement), a legal agreement which must be signed when joining the Java Community Process (JCP). The ASF headed a lengthy campaign to revise the JSPA, which currently allows -- and in some cases requires -- several restrictions which have hindered open-source Java projects.

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

"Ads in Cache-Friendly Pages" explains how you can have cacheable ads while maintaining an accurate count of the hits by using redirects. First, it talks about entities and cache control so that you can selectively apply cache headers to every entity on your Web pages. Then it shows you two methods of implementing the ads redirection - by configuring Apache's Redirect directive, and by using a Perl script.

Zend.com provides PHP beginners with a tutorial on how to encrypt and decrypt information with GnuPG using PHP. It starts off by demonstrating how to use GnuPG via the command-line, and then proceeds to use GnuPG within a PHP script.

The first installment of "Error Handling In PHP" delves into the types of PHP errors you may encounter, before moving on to show you how to write some custom error handlers. As usual, the Developer Shed supplies many sample scripts to illustrate its points.

No matter what platforms or services you are running, the fundamentals of vulnerability management remain the same. If you are feeling vulnerable lately, you may be interested to read this article.

Before you leave us, why not stop by the new Apache Center in town, launched by SearchWebManagement.com recently. You may see us there too!

This issue brought to you by: Gary Benson, Mark J Cox, Joe Orton, Min Min Tsan