An important security issue was
reported in mod_proxy on the 10th June.
The Common Vulnerabilities and Exposures project
has assigned the name
to this issue.
The flaw affects Apache httpd versions 1.3.26, 1.3.27, 1.3.28, 1.3.29
and 1.3.31 that have mod_proxy enabled and configured. Apache httpd
2.0 and other versions of Apache httpd 1.3 are unaffected.
The security issue is a buffer overflow which can be triggered by getting
mod_proxy to connect to a remote server which returns an invalid
(negative) Content-Length. This results in a memcpy to the heap with a
large length value, which will in most cases cause the Apache child to
crash. This does not represent a significant Denial of Service attack as
requests will continue to be handled by other Apache child processes. This
issue has a similar consequence to the
chunked encoding vulnerability
discovered in 2002.
In order to exploit this issue an attacker would need to get an
Apache installation that was configured as a proxy to connect to a
For the majority of platforms we do not believe that this issue can
then lead to arbitrary code execution. However we do believe it is
exploitable for arbitrary code execution in the following cases:
- On older OpenBSD/FreeBSD distributions it is easily exploitable because
of the internal implementation of memcpy which re-reads the length value from
- On newer BSD distributions it may be exploitable because the
implementation of memcpy will write three arbitrary bytes to an attacker
- It may be exploitable on any platform if the optional (and not default)
AP_ENABLE_EXCEPTION_HOOK define is enabled. This is used for example by
the experimental "mod_whatkilledus" module.
A patch to correct this issue is available and has been
committed to the
Apache httpd 1.3 CVS tree.
Apache Week believes that this is an important but not a critical
vulnerability; even where this issue could be exploited to run
arbitrary code it still requires a vulnerable version of Apache to
connect to a malicious site via the Proxy module. If you are running
an Apache web server we'd recommend that you take a look at your
configuration files and make sure that you have not inadvertently set
up an open proxy. If you do not need your server to act as a proxy
server then make sure that the directive "ProxyRequests On" does not
appear in your configuration file.
An issue has been discovered in the recent 1.3.31 release
which particularly affects users of modules such as
mod_dav and Frontpage. A change was
included in this release which was intended to allow the server
to reject POST requests and quickly close the
connection when KeepAlive is disabled
for a location where POST is rejected, without
having to read the entire POST request body. An
unexpected side-effect of patch means that in 1.3.31, request
bodies are not discarded on error responses such as an
authentication failure. This causes subsequent requests on
the connection to fail, leaving
This bug affects typical configurations of mod_dav when used
in conjunction with an authentication module; 1.3.31 users are
recommended to use the patch
which was committed to restore the previous 1.3 behaviour.
One of the limitations of the traditional Apache "one thread
per connection" model is that enabling
KeepAlive support means that a greater number
of threads are needed to support a given number of users when
connections are left open (but idle) after a request. This
week, Greg Ames posted a patch which demonstrates a modification
of the worker MPM which passes off handling of idle
"keptalive" connections to a single "event thread". Enabling
KeepAlive support can improve network utilisation and user
experience by avoiding slow TCP connection handshakes, so being
able to do so without risking tying up worker threads is an
exciting boost for those looking to scale Apache servers to
large numbers of connections.
The APR project, working on the portability library which
underpins the 2.0 code-base, recently made renewed efforts towards a long-awaited
"1.0" stable release. Still on the scalability front, Paul
Querna has been working on adding support to APR for the
scalable Linux 2.6 "epoll" and FreeBSD "KQueue" interfaces
rather than the traditional "poll". This should improve the
performance of 2.0 servers which use large numbers of listening
ports, and will also allow the "event thread" in Greg's patch
covered above to scale to large numbers of keepalive
Just over a month to go before the highly anticipated
O'Reilly Open Source Convention opens it's doors in Portland, Oregon.
This year the conference runs
from July 26-30 with many tracks of interest to Apache users.
Don't miss the Programming
the Apache Lifecycle tutorial on July 27 by Geoffrey Young. The
tutorial covers programming the Apache framework from the ground up,
clearing the way for the myriad of possibilities mod_perl makes
available. Techniques specific to handling resource control,
maintaining state, proper caching headers, and logging through the
mod_perl API will round-out this session.
The Apache Software Foundation held an annual members meeting
in May. The meeting was held via IRC and prompted a healthy turn out.
A secret ballot was held to elect the new board
of directors of the ASF as well as to elect a number of new ASF
members. There were thirteen nominations for directors, with nine
positions available, and the single
transferable vote mechanism was used to give a much fairer
All the previous directors were re-elected apart from Mark Cox
and Ben Laurie who were replaced by Geir Magnusson and Stefano
Mazzocchi. The new board comprises of Brian Behlendorf, Ken Coar,
Dirk-Willem van Gulik, Jim Jagielski, Geir Magnusson, Stefano
Mazzocchi, Sam Ruby, and Greg Stein.
In this section we highlight some of the articles on the web
that are of interest to Apache users.
Rich Bowen is back, and he's getting into the dirty details of
file permissions in another "A
Day in the Life of #Apache". This Unix-centric article looks
at how to set permissions and why they matter.
Mike Peters looks at running Apache in a jail in the Linux.com
Apache". Setting up a chroot environment is tricky, but it can help
reduce the risk of server vulnerabilities.