Apache Week
Issue 321, 21stFebruary2003:

Copyright 2020 Red Hat, Inc

In this issue

Under development

The development of a new MySQL-based authentication module mod_authn_mysql received some attention on the development list this week. This module is of particular interest as it is designed to use the new authentication framework in the unstable httpd-2.1 tree - a combination which for the first time allows Apache to authenticate a user against a MySQL database when using the Digest authentication protocol. Previously under Apache 1.3 and 2.0, extension modules such as mod_auth_mysql were limited to using the less secure Basic authentication protocol.

New releases from the 2.0 and 1.3 trees are in the pipeline; with version numbers 2.0.45 and 1.3.28, the releases currently look set to include mainly minor bug fixes.

Security Reports

OpenSSL timing attack

In a memo describing an upcoming paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin Vuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites in SSL and TLS. An active attacker may be able to use timing observations to distinguish between two different error cases: cipher padding errors and MAC verification errors. Over multiple connections this can leak sufficient information to make it possible to retrieve the plaintext of a common, fixed block.

In order for an attack to be successful, an attacker must be able to act as a man-in-the-middle to intercept and modify multiple connections which all involve a common fixed plaintext block (such as a password), and have good network conditions that allow small changes in timing to be reliably observed. The attack demonstrated in the paper was performed against a secure e-mail client which polled regularly for new mail. To perform an equivalent attack on a web browser sending a request over SSL, the user would have to manually re-submit the request several hundred times whilst being presented with an error dialog each time.

Given these facts, it looks likely that an attacker would have significant difficulty in exploiting this flaw to decrypt any SSL web traffic. But as with all vulnerabilities you need to make your own risk assessment based on your individual circumstances.

A patch to correct this issue was released by the OpenSSL project earlier this week. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0078 to this issue.

Oracle mod_dav vulnerability

This week a security vulnerability in the version of the mod_dav module distributed by Oracle was announced. Oracle had modified mod_dav to add logging of a particular "502 Bad Gateway" error which can occur when using this module; unfortunately the change they made also introduced a format string vulnerability, allowing remote attackers to execute arbitrary code. The Common Vulnerabilities and Exposures project has assigned the name CAN-2002-0842 to this issue.

This issue does not affect any versions of the mod_dav module distributed from webdav.org, or the version included in Apache 2.0.

The vulnerability caused a little confusion since SCO released an advisory this week claiming that OpenLinux was vulnerable to this issue and quoting the vulnerability as a problem in "Apache mod_dav module". SCO later withdrew their advisory once they were informed that OpenLinux had in fact never been vulnerable to the format string vulnerability at all. Increasing the confusion, the errata packages they provided as part of their security advisory actually added in the modifications Oracle had made to log this "502" error and so the SCO errata packages were in fact vulnerable to this issue.

Vendor modifications to Apache

The vulnerability found in the Oracle modifications to mod_dav is not the first security hole that has been introduced by third party modifications to Apache by vendors. However our own research based on issues listed in the CVE dictionary shows that the majority of these vulnerabilities are due to poor configuration defaults rather than patches for new functionality that went wrong:

CVE Type of Issue Severity Affected
CAN-2002-0842 Remote attacker can run arbitrary commands High Oracle
CAN-2002-0842 Remote attacker can run arbitrary commands High SCO (briefly)
CAN-2000-1168 Remote attacker can run arbitrary commands High IBM
CVE-2000-1016 Remote attacker can see files in /usr/doc Low SuSE Linux
CVE-2000-0883 Remote attacker can see files in /perl Medium Mandrake Linux
CVE-2000-0869 Remote attacker can read and write any file in docroot High SuSE Linux
CVE-2000-0868 Remote attacker can obtain the source to CGI scripts Medium SuSE Linux
CVE-2000-0234 Remote attacker can read .htaccess files Medium Cobalt
CVE-1999-0678 Remote attacker can see files in /usr/doc Low Debian Linux

Third party modifications to Apache also have been known to cause other types of bugs. This is often frustrating for the Apache Software Foundation who end up receiving all the bug reports for issues that don't even exist in the official Apache releases. This is one of the reasons why the Apache Software Foundation insists that when vendors make modifications to Apache that they change the name of their version so it is not confused with official Apache releases.

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

O'Reilly ONLamp.com shows you how to customise "Page Not Found" messages using PHP and Apache, and what actions your error-handling page can take - such as serving your users another page based on the URL that was not found, creating a new page dynamically from a database, or even emailing the webmaster about the missing URL. PHP source code listings are provided for all the examples.

"Compress Web Output Using mod_gzip and Apache" starts with the basics of HTTP compression and then explains how mod_gzip works to achieve this for the Apache web server. A very brief guide describing how to integrate this module with Apache is provided.

An excerpt from "Chapter 5: Authentication" of "Apache: The Definitive Guide, 3rd Edition" is now available online courtesy of WebReference.com and O'Reilly. It covers authentication directives and passwords.

Apache XML projects enthusiasts may like to read these articles about some of the Apache XML projects on Builder.com. Can you mix Jelly, Ant, and Cocoon together without getting indigestion? Read and find out.

This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan