This week saw two update releases of Apache 1.1.1 to fix two
potential security problems. You may have already seen the
announcements on the apache site, usenet or elsewhere. We
have released this issue of Apache Week early to cover the
security issues in 1.1.1.
The first problem was related to the cookies module,
mod_cookies. This module is not compiled in by default, so
this problem will only affect people who have explicitly
modified their configuration to include mod_cookies. If your
server does have mod_cookies compiled in, it is possible to
overflow a buffer within the code, leading to a potential
security hole. It is very difficult to exploit this, and
there is no evidence that anyone has managed to do it. There
are several possible fixes. If you are not using the cookies
module functionality, you can recompile without the module.
If you are using the module, apply this
patch to 1.1.1 or upgrade to 1.1.3 or a 1.2 beta.
The second potential hole relates to the use of the "Indexes"
option. If this option is turned on in a directory, it will
let browsers see a complete list of files in that directory.
This is the correct behaviour. But if you create a file
called "index.html" (or any other name as configured by
DirectoryIndex), the contents of this file will
be displayed instead of the directory listing. Note that the
files in the directory are still accessible to anyone that
knows or guesses the filename. The security hole is that it
is possible to force Apache to return a directory listing,
even if an index.html file exists. It does not give access to
the system or to any files outside the document tree, so it
is not a major hole.
This can be fixed without updating Apache at all. Simply
remove the "Indexes" option where it is not needed. This is a
good idea even if you do update Apache. Turn this option off
at the top level of the document tree in access.conf and only
enable it in directories where a listing is explicitly
required. You should not rely on a index.html file (or
similar) to hide files under your document root, since people
can still access the files by guessing the filenames. So you
should be careful to ensure you do not place any files under
your document root that you do not want people to be able to
access. Anything under the document root is potentially
accessible to anyone.
Alternatively, you can fix the problem by applying this
patch to 1.1.1 or upgrading to 1.1.3. The next 1.2 beta
will also fix the problem. You might also have seen the
release of 1.1.2. This included fixes for both the problems
above, however it caused problems on some systems. If 1.1.2
compiled on your system you can continue to use it.
Release 1.1.3 is the same as the current stable version 1.1.1
but with these two issues fixed. The current 1.2 beta version
4 fixes the cookies issue (now called mod_usertrack), but not
the directory index. This will be fixed in the next beta
Release: 1.1.3 (Released 14th January 1997)
Bugs in 1.2b4 fixed in next release:
Beta: 1.2b4 (Released 31st December 1996)
The info page (typically /server-info) did not show
configuration lines if the config files were not in the
usual place under ServerRoot
Could create one more child than requested by MaxClients.
Also if StartServers was larger than the compiled-in
maximum (256) could cause memory corruption.
If an error occurs in a CGI handling POST data where the
error is redirected to another CGI (via
ErrorDocument) the error script can hangup
looking for POST data.
Fix warning on UnixWare 2.1.1, OS/2 compatibility fixes,
FreeBSD fix, added openBSD, QNX fixes, added AIX on PS/2,
A few security enhancements in suexec wrapper
Apache is currently in a 'beta release' cycle. This is where
it is made available prior to full release for testing by
anyone interested. Normally during the beta cycle no new
major features will be added. The full release of Apache 1.2
is expected at the end of December or early in January.
In the next release of Apache it will be possible to prevent
access to resources based on the User-Agent (browser name).
This is done by first of all setting an environment variable
based on the user-agent with BrowserMatch, for
BrowserMatch nastyrobot isnastyrobot
Then any resource section (<Directory>,
<Location>, <Files> or a .htaccess) can be
restricted with, for example:
deny from env=isnastyrobot
The will replace the "deny from user-agents" method of
restricting access by user-agent in previous 1.2 betas.
As reported last issue, some client libraries have bugs which
mean that they do not cope with responses marked as
"HTTP/1.1". A simple work-around for these clients is to mark
the response as "HTTP/1.0" instead (but note that the
response content is still in HTTP/1.1 format, since the two
are completely compatible). The next release of Apache will
allow for this on a client-by-client basis. If the
environment variable "force-response-1.0" is set, and the
request is marked as "HTTP/1.0", then Apache will mark its
response as HTTP/1.0 instead of 1.1. This environment
variable can be set by the BrowserMatch
directive. For example, if a client which sends a user-agent
name of "broken-browser" cannot cope with responses marked as
HTTP/1.1, you could use
BrowserMatch broken-browser force-response-1.0
Care should be taken with this, since if this browser is
fixed it will still get responses marked as 1.0 and never use
any new HTTP/1.1 features.
Modules which send back a response can now use a new function
to flush their output to the client. Normally, Apache buffers
the output from modules and sends it whenever it's buffer
gets filled or when the response is complete. This function,
rflush() lets modules determine when to send
output to the client.
As the world's most popular web server, it is not surprising
that there are a number of books all about Apache. Apache has
been covered in books as part of a larger topic - such as
running web servers - but now there are a few books which
exclusively cover Apache.
Running a Perfect Web Site with Apache (Brian
Behlendorf, QUE) was the first Apache book, published in May
1996. This book views Apache as part of an overall Web site,
and includes chapters on planning a WWW presence, using HTML,
CGI, search engines and databases. The full text of this book
is available online from the publisher.
Apache Server Survival Guide (Manuel Alberto Ricart,
SAMS.NET) was published in October 1996. This book covers
configuring and managing Apache, as well as CGI programming,
Stronghold (a commercial secure version of Apache), DNS and
The Definitive Guide (Ben Laurie & Peter Laurie,
O'Reilly) is expected to be available from February 1997.
According to pre-publication information, this book will also
cover the writing of modules for Apache using the Apache