Apache Week
   
   Issue 319, 24th January 2003:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Security Reports

This week a pair of security issues have been announced that affect Windows versions of the 2.0 Apache httpd server.

  • Apache 2.0 before 2.0.44 on Windows platforms allows remote attackers to obtain different files to the ones they requested via an HTTP request that contains certain illegal characters such as <.

    As an example, a file in the document root called "aa" would be returned by a request to Apache of http://www.example.com/fred/<a.

    This issue was reported to the Apache Security Team by Lionel Brits on 25th November 2002. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0017 to this issue.

  • Apache 2.0 before 2.0.44 on Windows platforms can be made to crash or in some cases execute arbitrary code by malicious requests that contain MS-DOS device names.

    Part of this issue is not just limited to Apache, it is a known security issue that various MS-DOS device names when accessed can cause some Windows versions to crash. A Microsoft security bulletin contains a patch that should also be applied to vulnerable systems.

    This issue was reported to the Apache Security Team by Matthew Murphy on 4th December 2002. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0016 to this issue.

These issues have both been fixed in Apache 2.0.44 which is now available. Windows users will also need to apply a patch to get Apache 2.0.44 to work correctly on their systems. The patch is available for download and more information about the problem is available in BZ#16288


In the news

Cross-Site Tracing issues

Earlier this week a paper was published, "Cross-Site Tracing" which gave details of how the TRACE HTTP request could be used in Cross-Site Scripting attacks. Unfortunately this issue has not been very well understood by the media and has received a unwarranted amount of attention.

When an HTTP TRACE request is sent to a web server that supports it, that server will respond echoing the data that is passed to it, including any HTTP headers. The paper explains that some browsers can be scripted to perform a TRACE request. A browser with this functionality could be made to issue a TRACE request against an arbitrary site and pass the results on elsewhere. Since browsers will only send authentication details and cookies to the sites that issue them this means a user having a browser with this functionality could be tricked into sending their cookies or authentication details for arbitrary sites to an attacker.

For example, if you visited a page that an attacker has carefully crafted, the page could cause your browser to bounce a TRACE request against some site for which you have authentication cookies. The result of the TRACE will be a copy of what was sent to the site, which will therefore include those cookies or authentication data. The carefully crafted page can then pass that information on to the attacker.

TRACE requests can be disabled by making a change to the Apache server configuration. Unfortunately it is not possible to do this using the Limit directive since the processing for the TRACE request skips this authorisation checking. Instead the following lines can be added which make use of the mod_rewrite module.

RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F] 

Although the particular attack highlighted made use of the TRACE functionality to grab authentication details, this isn't a vulnerability in TRACE, or in the Apache web server. The same browser functionality that permits the published attack can be used for different attacks even if TRACE is disabled on the remote web server. For example an attacker could create a carefully crafted page that when visited submits a hidden request to some arbitrary site through your browser, grabs the result and passes it to the attacker.


Apache 2.0.44 Released

Apache 2.0.44 was released on 21st January 2003 and is now the latest version of the Apache 2.0 server. The previous release was 2.0.43, released on the 3rd October 2002. See what was new in Apache 2.0.43.

Apache 2.0.44 is available for download.

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions prior to Apache 2.0.44 on Windows should upgrade to Apache 2.0.44. Read more about the other security issues that affect Apache 2.0.

Security issues

  • Apache was vulnerable to a denial of service attack via a request for MS-DOS device name on Windows 9x and Me. CAN-2003-0016
  • Apache allowed arbitrary code execution via crafted POST request containing MS-DOS device name on Windows 9x and Me.
  • Apache could be forced to serve unexpected files on Windows platforms by appending illegal characters such as '<' to the request URL. CAN-2002-0017

Bugs fixed

The following bugs were found in Apache 2.0.43 and have been fixed in Apache 2.0.44:

  • Allow escaping % sign in CustomLog format strings
  • mod_setenvif: fix BrowserMatchNoCase for non-regex patterns.
  • Return appropriate MIME response headers for negotiated responses from a body embedded in a type-map
  • Prevent 416 "Range not satisfiable" response in place of a redirect
  • Prevent files being left open for the duration of a keepalive connection, which could cause a "Too many open files" error
  • mod_ssl: several fixes for memory handling and leaks
  • mod_proxy: fix invalid Content-Length from pages fetched during server-side include processing.
  • LDAP modules: ensure correct load order in httpd.conf (BZ#14256); fix compatibility with Netscape LDAP libraries; fix Win32 build
  • mod_deflate: fix a memory leak when compressing dynamic content; always emit Vary headers
  • mod_isapi: fix several compatibility problems (BZ#14399, BZ#10408), and fix bug which caused invalid responses or log entries (BZ#10216)
  • CGI modules: fix streaming output from "nph-" scripts, for example CGI::IRC (BZ#8482); fix construction of command line from query strings (BZ#13914), handle environment variables which contain newlines in mod_cgid (BZ#14550); terminate CGI scripts when connection is dropped (BZ#8388)
  • Caching modules: many bug fixes (including BZ#14556), and an HTTP compliance fix (BZ#14556)

New features

  • Add an --enable-v4-mapped configure option to allow or disallow connections from IPv4-mapped addresses to IPv6 addresses, on applicable platforms (BZ#14037, PR#7492)
  • Add IndexOptions IgnoreCase option to mod_autoindex (BZ#14276)
  • Add EnableSendfile directive to disable use of sendfile() when necessary (for instance when serving an NFS share)
  • Add ProxyBadHeader directive to dictate handling of invalid HTTP responses headers
  • Add SERVER_ADDR keyword to mod_setenvif, to represent the server IP address for a particular request
  • Performance improvements
  • Add -S command-line option to httpd, equivalent to -t -DDUMP_VHOSTS

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

"Unifying Web Clusters with Spread" describes how Spread, a toolkit that provides a messaging service, can be used to implement distributed logging and to monitor applications running on many Web servers easily. The Apache module, mod_log_spread is an example where Spread is used to gather access logs for large web clusters into a single access log file.

O'Reilly ONLamp.com shows you how to configure and build your very own PHP 4.3 on Mac OS X. It provides a step-by-step guide on configuring PHP to enable additional extensions such as support for reading and writing XML using the DOM, and communicating with LDAP servers, and other parameters for a basic Apache and PHP installation.

"Security with PHP Superglobals" explains the concept of PHP Superglobals in layman terms. It starts by discussing two methods for submitting data through web forms known as GET and POST. Then it looks at the problem of identifying the origins of the variables and how Superglobals attempt to solve this.


This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan
Comments or criticisms? Please email us at editors@apacheweek.com