Apache Week
   
   Issue 12, 26th April 1996:  

Copyright 1996-2005
Red Hat, Inc.

In this issue


Version

1.0.5 is the current stable public release. This is the same as 1.0.3, except that it 'fixes' a possible security problem. The beta test version, 1.1b, is now at version 2.


Apache security bug false alert

The IBM Emergency Response Service released a security vulerability alert for Apache and NCSA servers. The Apache group immediately released a fixed distribution, version 1.0.5, based on the information in the alert. However detailed analysis later showed that this 'problem' probably did not comprise a security risk in Apache 1.0.3. The reported problem affected the way that the server removes potentially dangerous characters from input which is later passed onto CGI scripts (for example, the back-tick character). In this case, the newline character was not being removed from CGI input. Only very old CGI scripts which use arguments passed on their command line are vulnerable, and only if the CGI author was very careless in their checking of the arguments.

There was a real problem reported back in February which affected some of the programs distributed in cgi-bin and cgi-src. This has been fixed for some time. That problem was caused by a section of code which also occured in the main server source. The alert assumed that because the code was the same, there was the same vulernability. But the code in the server is used in a different way, which means it is very unlikely to cause a security problem. Nonetheless the Apache group released a 'fixed' version of the server.

The alert did raise the issue of what level of support the Apache group provide for the CGI examples supplied with Apache. They are mostly scripts and programs which were originally distributed with NCSA 1.3, and they are not considered to be supported by the Apache group. Most will probably be dropped from future distributions of Apache. There are lots of other sites with detailed information on CGI programming, such as the CGI information at NCSA.


Bugs

Since 1.1 is currently has just gone into public beta, there have been quite a few this week. Many have already been fixed in version 2 of the 1.1 beta, and more will be no doubt fixed in further beta releases.

Bugs affecting 1.0.5 and before will be listed here:

Hostnames truncated in log file
Some hostnames were being truncated in the log files. This only occured when the cookies module was being used. This is fixed in 1.1beta.

Under Development

Better docs
The documentation on the site is going to be improved in the future.

PHP Module
You can now link the server-parsed-HTML processor parsed HTML system PHP/FI directly into Apache, with an Apache interface module. This is much faster than using a CGI program to perform the same tasks. Also under development is an Apache 1.1 version of the XSSI server-side-include parsing module.
Regular expressions
Future versions of Apache might include a regular expression parser.

... and finally

Apache to go: McDonalds Corp. are using Apache to serve pages. But can you get fries with them?

Microsoft eats pages: Robots at Microsoft have been repeatedly requesting pages - one site reports 10,000 requests for the same page from one robot. Obviously Microsoft have answered their question "Where do your want to go today" with "the same place.... 10,000 times".

Web weak? The April 96 issue of Web Week reportly announces that Apache is Mac-only: "While the commercial market is growing, free servers still dominate. According to the lastest Netcraft Web Server Survey, the National Center for Supercomputing Applications Web server enjoys 28 percent of the market, followd by the Macintosh-based Apache HTTP Server Product, with 27 percent. Third is Netscape with 17 percent." (page 8).


Comments or criticisms? Please email us at editors@apacheweek.com