Apache 2.0 performance was again the hot topic on the development
list this week as some detailed results of profiling httpd on AIX were sent
in by IBM hacker Bill Stoddard. Several areas of code were targetted
for optimisation after some analysis of the results; of particular
note was the request header parsing loops which copied input data and
used several temporary memory allocations. The discussion led to
several optimisations being checked-in, with more pending.
One of the changes included in Apache 1.3.26 has caused a few surprises
as parsing of the HTTP request line in Apache has become stricter;
now rejecting some illegal requests which earlier versions accepted. Any
client applications which were generating illegal request lines and getting
away with it will find that when taking to Apache 1.3.26 a 400 Illegal
Request error response will be returned. An example of an
illegal request line would be to include an unescaped space character
in the URI. Consensus on the list was that the code should be
reverted to the previous behaviour, following the IETF maxim: "be
liberal in what you accept".
Those of you who prefer tinkering with Apache to playing the latest
Playstation game may be interested in Chris Taylor's announcement
of a binary build of Apache 2.0.39 for PS/2 Linux installations.
Two weeks ago we covered the
details of the Chunked encoding vulnerability. This vulnerability allows
a remote attacker to run arbitrary code on your server depending on your
platform. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2002-0392 to this issue.
We strongly suggest that all users of Apache update their
distributions to 1.3.26 or 2.0.39 or
apply this patch to existing installations.
Over the last week various reports about an "Apache Worm" have surfaced.
The worm currently seems to be fairly benign, focussing its attention
on some FreeBSD systems only. Here are some of the news articles
that covered the Apache worm:
In this section we highlight some of the articles on the web that are of
interest to Apache users.
Web Developer's Virtual Library provides chapter 6 ("Security and users")
of the book, "Web Development with Apache and Perl" by Theo Petersen
in a few online installments for your perusal.
covers the basics of Secure Sockets Layer (SSL) and certificates, the
steps to install OpenSSL and mod_ssl with Apache,
and the steps to configure and test that your SSL-enabled Apache is
continues with setting up user authentication, and writing your own
login page. There are still two more subsections on user
management and login sessions to go before wrapping up this chapter.
Other reviews on the above book are available at
MetroWest Perl Mongers.
Interested to read more? Then you can download two sample
chapters from its
Our colleagues at Wrox Press have given us two copies of their
book "Professional Apache 2.0" to give away.
Written by Apache Week reader and space tourism evangelist
Peter Wainwright, the book covers all aspects of serving web
sites using the Apache 2.0 web server.
review all about it.
If you have not already entered for a chance to get your hands a copy of the book, answer this simple
Which one of the following is the name of the security group
that posted the first working exploit for the Apache chunked
A) GRUMBLES, B) GOBBLES, or C) GURGLES
Send your answer to firstname.lastname@example.org
to reach us no later than July 10th 2002.
Your email address will not be used for
anything other than to let you know if you are a lucky winner.
Two winners will be drawn at random from all correct entries submitted,
One entry per person, no cash alternative.