Apache Week
   Issue 343, 12th March 2004:  

Copyright ©2020 Red Hat, Inc

In this issue

Security Reports

Over the last few weeks a number of minor security vulnerabilities that affect the Apache HTTP server have become known to the public. New releases that contain fixes to these issues are expected to be made available soon.

CAN-2004-0113: mod_ssl memory leak leads to DoS

A memory leak was found in the mod_ssl module included in Apache 2.0. By sending plain HTTP requests to the SSL port, an attacker can cause Apache to consume increasing amounts of memory which can lead to a denial of service.

This issue was reported to the public Apache bugzilla database (BZ#27106) on 20th February 2004. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0113 to this issue. A fix for this issue has been committed to the CVS tree and will be included in the next release.

CAN-2003-0993: Allow/Deny parsing on big-endian 64-bit platforms

A bug in the parsing of Allow and Deny rules using IP addresses without a netmask on big-endian 64-bit platforms causes the rules to fail to match. This could be an issue to sites that rely on these directives for access control to particular resources, as for an example the directive Deny from 192.168. would never match.

Fortunately this issue only affects the few big-endian 64-bit platforms such as sparc64 and powerpc64. This issue only affects Apache 1.3

The issue was reported to the public Apache bugzilla database (BZ#23850) on 15th October 2003. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0993 to this issue. A fix for this issue has been committed to the CVS tree and will be available in the next release.

CAN-2004-0173: Cygwin directory traversal

A bug was found in the encoding enforcements which affects Apache 1.3 and 2.0 when run on the Cygwin platform. A remote attacker can send maliciously constructed requests using .. (dot dot) sequences containing encoded backslash characters. These requests can cause Apache to return any file on the system, including files outside of the document root.

The issue was reported to the public Apache bugzilla database (BZ#26152) on 15th January 2004. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0173 to this issue. A fix for this issue will be available in the next releases.

Cookie path restrictions easily bypassed

When sending a cookie to a client you can specify a path restriction (the path attribute in a Set-Cookie header). A client should then be reasonably expected to only send that Cookie back to the server when requesting a resource under that path.

It was reported this week this week that a number of clients could be fooled into sending Cookies that had a path attribute to different paths on the same server by using directory traversal techniques.

For an illustration of this issue let us assume that we are using the Apache web server and that under our document root we have two directories, /tony/ and /gordon/. When visiting http://myhost/tony/, some server application returns a Set-Cookie header with a /tony/ Path attribute.

Set-Cookie: Password=nibbles; Path=/tony/

Now, when the browser visits http://myhost/tony/ again, the browser will send the Cookie to the server. However, if the browser visits http://myhost/gordon/, no Cookie will be sent. This is the expected behaviour

Apache will traverse directory paths found in requests, so a request for /gordon/../tony/ will be treated the same as a request for /tony/. By encoding this traversal (a "." becomes "%2e") you can fool most browsers. So with a vulnerable browser, visiting http://myhost/tony/%2e%2e/gordon/ will actually return the /gordon/ subdirectory but the browser has been tricked into sending the restricted Cookie. This allows Gordon to steal Tony's cookies.

Some of the open-source web browsers including Mozilla and KDE Konqueror included a fix for this issue back in the Summer of 2003; they simply look for attempts at directory traversal and block sending Cookies, however not all the popular browsers will do so.

It was suggested that to solve this problem Apache should change its behaviour and not allow directory traversal at all, but in reality this would only solve part of the problem. Cookie path restrictions are just as easily circumvented by browsers that allow multiple frames and JavaScript, for example.

So the conclusion is that there are a number of ways in which Cookie path restrictions can be circumvented, and not all of them can be easily fixed. Therefore application developers should be aware of this and not assume that the Cookie path restrictions are enforced.

Under development

Version 2.0 of the Apache License was approved for use by the Apache Software Foundation board earlier this year, and is now starting to be being applied to new releases of ASF software. The new license has significant changes from Version 1.1, which has been in use since 2000; notably coverage of patent issues. Compatibility of the new license with the GPL proved to be a contentious and particularly complicated legal issue and is yet to be resolved; as described here.

Preparations are underway for a new release from the 2.0 tree; version 2.0.49 will follow up on the October 2003 release of 2.0.48. Seventy five changes are documented for the new version: of note is the inclusion of André Malo's rewrite of the mod_include parser and fixes for several problems in handling of piped logging programs. A number of mod_ssl issues are also fixed, along with two regressions in 2.0.48 in mod_autoindex and mod_usertrack. The first release candidate tarballs received good feedback from testing; release manager Sander Striker proposed to roll second candidates with some fixes for BeOS and the documentation.

There was some discussion about the status of 2.0's thread-based worker MPM on FreeBSD; it was known that with the improvements to the thread libraries in FreeBSD 5.2 and later, the worker MPM can operate correctly. Further testing of worker still showed serious issues when running on the FreeBSD 4.x -STABLE branch; users on such platforms are recommended to stay with the default prefork MPM.

Apache Conferences

O'Reilly Open Source Convention 2004

It's cold, wet, and windy in the UK right now; so what better than to look forward to a summer in Portland, Oregon, host of the O'Reilly Open Source Convention. This year the conference runs from July 26-30 with many tracks of interest to Apache users. Conference registration isn't open yet, but mark the date in your diary and visit the the conference web site for more details.

Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

Rich Bowen is back, and he's enabling and disabling Apache Modules in another "A Day in the Life of #Apache". The article examines why modules are enabled by default and how to tell which you can safely disable.

The Devx.com article "Armoring Apache HTTP Server with SSL" is designed to lead you step-by-step to enabling encryption on your Apache server.

Blane Warrene discusses how to "Configure Web Logs in Apache" including ways to use the CustomLog directive and how to do log rotation.

This issue brought to you by: Mark J Cox, Joe Orton