Apache Week
Issue 301, 5thJuly2002:

Copyright 2020 Red Hat, Inc

In this issue

Under development

Apache 2.0 performance was again the hot topic on the development list this week as some detailed results of profiling httpd on AIX were sent in by IBM hacker Bill Stoddard. Several areas of code were targetted for optimisation after some analysis of the results; of particular note was the request header parsing loops which copied input data and used several temporary memory allocations. The discussion led to several optimisations being checked-in, with more pending.

One of the changes included in Apache 1.3.26 has caused a few surprises as parsing of the HTTP request line in Apache has become stricter; now rejecting some illegal requests which earlier versions accepted. Any client applications which were generating illegal request lines and getting away with it will find that when taking to Apache 1.3.26 a 400 Illegal Request error response will be returned. An example of an illegal request line would be to include an unescaped space character in the URI. Consensus on the list was that the code should be reverted to the previous behaviour, following the IETF maxim: "be liberal in what you accept".

Those of you who prefer tinkering with Apache to playing the latest Playstation game may be interested in Chris Taylor's announcement of a binary build of Apache 2.0.39 for PS/2 Linux installations.

In the news

Two weeks ago we covered the details of the Chunked encoding vulnerability. This vulnerability allows a remote attacker to run arbitrary code on your server depending on your platform. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2002-0392 to this issue.

We strongly suggest that all users of Apache update their distributions to 1.3.26 or 2.0.39 or apply this patch to existing installations.

Over the last week various reports about an "Apache Worm" have surfaced. The worm currently seems to be fairly benign, focussing its attention on some FreeBSD systems only. Here are some of the news articles that covered the Apache worm:

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

Web Developer's Virtual Library provides chapter 6 ("Security and users") of the book, "Web Development with Apache and Perl" by Theo Petersen in a few online installments for your perusal. Part I covers the basics of Secure Sockets Layer (SSL) and certificates, the steps to install OpenSSL and mod_ssl with Apache, and the steps to configure and test that your SSL-enabled Apache is working. Then Part II continues with setting up user authentication, and writing your own login page. There are still two more subsections on user management and login sessions to go before wrapping up this chapter.

Other reviews on the above book are available at Linux Journal, Perl Monks, and MetroWest Perl Mongers. Interested to read more? Then you can download two sample chapters from its companion website.

Apache Week 300 giveaway

Our colleagues at Wrox Press have given us two copies of their book "Professional Apache 2.0" to give away.

Written by Apache Week reader and space tourism evangelist Peter Wainwright, the book covers all aspects of serving web sites using the Apache 2.0 web server. Read our comprehensive review all about it.

If you have not already entered for a chance to get your hands a copy of the book, answer this simple question:

Which one of the following is the name of the security group that posted the first working exploit for the Apache chunked encoding vulnerability?

Send your answer to googles@apacheweek.com to reach us no later than July 10th 2002. Your email address will not be used for anything other than to let you know if you are a lucky winner. Two winners will be drawn at random from all correct entries submitted, One entry per person, no cash alternative.

This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan