Apache Week
   
   Issue 346, 11th June 2004:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Security Reports

CAN-2004-0492: Important flaw in mod_proxy

An important security issue was reported in mod_proxy on the 10th June. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0492 to this issue.

The flaw affects Apache httpd versions 1.3.26, 1.3.27, 1.3.28, 1.3.29 and 1.3.31 that have mod_proxy enabled and configured. Apache httpd 2.0 and other versions of Apache httpd 1.3 are unaffected.

The security issue is a buffer overflow which can be triggered by getting mod_proxy to connect to a remote server which returns an invalid (negative) Content-Length. This results in a memcpy to the heap with a large length value, which will in most cases cause the Apache child to crash. This does not represent a significant Denial of Service attack as requests will continue to be handled by other Apache child processes. This issue has a similar consequence to the chunked encoding vulnerability discovered in 2002.

In order to exploit this issue an attacker would need to get an Apache installation that was configured as a proxy to connect to a malicious server.

For the majority of platforms we do not believe that this issue can then lead to arbitrary code execution. However we do believe it is exploitable for arbitrary code execution in the following cases:

  • On older OpenBSD/FreeBSD distributions it is easily exploitable because of the internal implementation of memcpy which re-reads the length value from the stack.
  • On newer BSD distributions it may be exploitable because the implementation of memcpy will write three arbitrary bytes to an attacker controlled location.
  • It may be exploitable on any platform if the optional (and not default) AP_ENABLE_EXCEPTION_HOOK define is enabled. This is used for example by the experimental "mod_whatkilledus" module.

A patch to correct this issue is available and has been committed to the Apache httpd 1.3 CVS tree.

Apache Week believes that this is an important but not a critical vulnerability; even where this issue could be exploited to run arbitrary code it still requires a vulnerable version of Apache to connect to a malicious site via the Proxy module. If you are running an Apache web server we'd recommend that you take a look at your configuration files and make sure that you have not inadvertently set up an open proxy. If you do not need your server to act as a proxy server then make sure that the directive "ProxyRequests On" does not appear in your configuration file.


Under development

An issue has been discovered in the recent 1.3.31 release which particularly affects users of modules such as mod_dav and Frontpage. A change was included in this release which was intended to allow the server to reject POST requests and quickly close the connection when KeepAlive is disabled for a location where POST is rejected, without having to read the entire POST request body. An unexpected side-effect of patch means that in 1.3.31, request bodies are not discarded on error responses such as an authentication failure. This causes subsequent requests on the connection to fail, leaving strange access_log entries.

This bug affects typical configurations of mod_dav when used in conjunction with an authentication module; 1.3.31 users are recommended to use the patch which was committed to restore the previous 1.3 behaviour.

One of the limitations of the traditional Apache "one thread per connection" model is that enabling KeepAlive support means that a greater number of threads are needed to support a given number of users when connections are left open (but idle) after a request. This week, Greg Ames posted a patch which demonstrates a modification of the worker MPM which passes off handling of idle "keptalive" connections to a single "event thread". Enabling KeepAlive support can improve network utilisation and user experience by avoiding slow TCP connection handshakes, so being able to do so without risking tying up worker threads is an exciting boost for those looking to scale Apache servers to large numbers of connections.

The APR project, working on the portability library which underpins the 2.0 code-base, recently made renewed efforts towards a long-awaited "1.0" stable release. Still on the scalability front, Paul Querna has been working on adding support to APR for the scalable Linux 2.6 "epoll" and FreeBSD "KQueue" interfaces rather than the traditional "poll". This should improve the performance of 2.0 servers which use large numbers of listening ports, and will also allow the "event thread" in Greg's patch covered above to scale to large numbers of keepalive connections.


In the news

O'Reilly Open Source Convention 2004

Just over a month to go before the highly anticipated O'Reilly Open Source Convention opens it's doors in Portland, Oregon. This year the conference runs from July 26-30 with many tracks of interest to Apache users. Don't miss the Programming the Apache Lifecycle tutorial on July 27 by Geoffrey Young. The tutorial covers programming the Apache framework from the ground up, clearing the way for the myriad of possibilities mod_perl makes available. Techniques specific to handling resource control, maintaining state, proper caching headers, and logging through the mod_perl API will round-out this session.

Annual members meeting

The Apache Software Foundation held an annual members meeting in May. The meeting was held via IRC and prompted a healthy turn out. A secret ballot was held to elect the new board of directors of the ASF as well as to elect a number of new ASF members. There were thirteen nominations for directors, with nine positions available, and the single transferable vote mechanism was used to give a much fairer representation.

All the previous directors were re-elected apart from Mark Cox and Ben Laurie who were replaced by Geir Magnusson and Stefano Mazzocchi. The new board comprises of Brian Behlendorf, Ken Coar, Dirk-Willem van Gulik, Jim Jagielski, Geir Magnusson, Stefano Mazzocchi, Sam Ruby, and Greg Stein.


Featured articles

In this section we highlight some of the articles on the web that are of interest to Apache users.

Rich Bowen is back, and he's getting into the dirty details of file permissions in another "A Day in the Life of #Apache". This Unix-centric article looks at how to set permissions and why they matter.

Mike Peters looks at running Apache in a jail in the Linux.com article "Chrooting Apache". Setting up a chroot environment is tricky, but it can help reduce the risk of server vulnerabilities.


This issue brought to you by: Mark J Cox, Joe Orton
Comments or criticisms? Please email us at editors@apacheweek.com