Apache Week
   Issue 48, 17th January 1997:  

Copyright 1996-2005
Red Hat, Inc.

In this issue

This week saw two update releases of Apache 1.1.1 to fix two potential security problems. You may have already seen the announcements on the apache site, usenet or elsewhere. We have released this issue of Apache Week early to cover the security issues in 1.1.1.

The first problem was related to the cookies module, mod_cookies. This module is not compiled in by default, so this problem will only affect people who have explicitly modified their configuration to include mod_cookies. If your server does have mod_cookies compiled in, it is possible to overflow a buffer within the code, leading to a potential security hole. It is very difficult to exploit this, and there is no evidence that anyone has managed to do it. There are several possible fixes. If you are not using the cookies module functionality, you can recompile without the module. If you are using the module, apply this patch to 1.1.1 or upgrade to 1.1.3 or a 1.2 beta.

The second potential hole relates to the use of the "Indexes" option. If this option is turned on in a directory, it will let browsers see a complete list of files in that directory. This is the correct behaviour. But if you create a file called "index.html" (or any other name as configured by DirectoryIndex), the contents of this file will be displayed instead of the directory listing. Note that the files in the directory are still accessible to anyone that knows or guesses the filename. The security hole is that it is possible to force Apache to return a directory listing, even if an index.html file exists. It does not give access to the system or to any files outside the document tree, so it is not a major hole.

This can be fixed without updating Apache at all. Simply remove the "Indexes" option where it is not needed. This is a good idea even if you do update Apache. Turn this option off at the top level of the document tree in access.conf and only enable it in directories where a listing is explicitly required. You should not rely on a index.html file (or similar) to hide files under your document root, since people can still access the files by guessing the filenames. So you should be careful to ensure you do not place any files under your document root that you do not want people to be able to access. Anything under the document root is potentially accessible to anyone.

Alternatively, you can fix the problem by applying this patch to 1.1.1 or upgrading to 1.1.3. The next 1.2 beta will also fix the problem. You might also have seen the release of 1.1.2. This included fixes for both the problems above, however it caused problems on some systems. If 1.1.2 compiled on your system you can continue to use it.

Release 1.1.3 is the same as the current stable version 1.1.1 but with these two issues fixed. The current 1.2 beta version 4 fixes the cookies issue (now called mod_usertrack), but not the directory index. This will be fixed in the next beta release.

Apache Status

Release: 1.1.3 (Released 14th January 1997)
Beta: 1.2b4 (Released 31st December 1996)

Bugs in 1.2b4 fixed in next release:
  • The info page (typically /server-info) did not show configuration lines if the config files were not in the usual place under ServerRoot
  • Could create one more child than requested by MaxClients. Also if StartServers was larger than the compiled-in maximum (256) could cause memory corruption.
  • If an error occurs in a CGI handling POST data where the error is redirected to another CGI (via ErrorDocument) the error script can hangup looking for POST data.
  • Fix warning on UnixWare 2.1.1, OS/2 compatibility fixes, FreeBSD fix, added openBSD, QNX fixes, added AIX on PS/2, fixed NeXTSTEP.
  • A few security enhancements in suexec wrapper

Apache is currently in a 'beta release' cycle. This is where it is made available prior to full release for testing by anyone interested. Normally during the beta cycle no new major features will be added. The full release of Apache 1.2 is expected at the end of December or early in January.

Denying Access Based on User Agent

In the next release of Apache it will be possible to prevent access to resources based on the User-Agent (browser name). This is done by first of all setting an environment variable based on the user-agent with BrowserMatch, for example

  BrowserMatch nastyrobot isnastyrobot

Then any resource section (<Directory>, <Location>, <Files> or a .htaccess) can be restricted with, for example:

  deny from env=isnastyrobot

The will replace the "deny from user-agents" method of restricting access by user-agent in previous 1.2 betas.

Marking Responses as HTTP/1.0

As reported last issue, some client libraries have bugs which mean that they do not cope with responses marked as "HTTP/1.1". A simple work-around for these clients is to mark the response as "HTTP/1.0" instead (but note that the response content is still in HTTP/1.1 format, since the two are completely compatible). The next release of Apache will allow for this on a client-by-client basis. If the environment variable "force-response-1.0" is set, and the request is marked as "HTTP/1.0", then Apache will mark its response as HTTP/1.0 instead of 1.1. This environment variable can be set by the BrowserMatch directive. For example, if a client which sends a user-agent name of "broken-browser" cannot cope with responses marked as HTTP/1.1, you could use

  BrowserMatch broken-browser force-response-1.0

Care should be taken with this, since if this browser is fixed it will still get responses marked as 1.0 and never use any new HTTP/1.1 features.

New API Function for Unbuffered Output

Modules which send back a response can now use a new function to flush their output to the client. Normally, Apache buffers the output from modules and sends it whenever it's buffer gets filled or when the response is complete. This function, rflush() lets modules determine when to send output to the client.

Books About Apache

As the world's most popular web server, it is not surprising that there are a number of books all about Apache. Apache has been covered in books as part of a larger topic - such as running web servers - but now there are a few books which exclusively cover Apache.

Running a Perfect Web Site with Apache (Brian Behlendorf, QUE) was the first Apache book, published in May 1996. This book views Apache as part of an overall Web site, and includes chapters on planning a WWW presence, using HTML, CGI, search engines and databases. The full text of this book is available online from the publisher.

Apache Server Survival Guide (Manuel Alberto Ricart, SAMS.NET) was published in October 1996. This book covers configuring and managing Apache, as well as CGI programming, Stronghold (a commercial secure version of Apache), DNS and FastCGI.

Apache: The Definitive Guide (Ben Laurie & Peter Laurie, O'Reilly) is expected to be available from February 1997. According to pre-publication information, this book will also cover the writing of modules for Apache using the Apache module API.

Comments or criticisms? Please email us at editors@apacheweek.com