In this issue

A new version of the stable branch of Apache, 1.2.5, has been released. This incorporates some bug fixes following an internal security code review, and also fixes a possible "denial of service" attack. The security problems found are not particularly serious. Many would be very difficult to exploit, and even those which are potentially exploitable at worst give access to the server user (not root). As far as is know, none of these problems were being exploited, and many of this would be very difficult to use. These fixes will also be in the next beta of 1.3.

A denial of service attack has posted in a message on the BUGTRAQ list. This message also includes a script called "beck" to perform the attack.

Apache, like all network services, is vulnerable to attacks based on repeated requests. By sending requests rapidly to the server, the server's load will increase in proportion to the number of requests being made. This is difficult to guard against because the server cannot know whether the repeated requests are valid or not. Normally the load caused by repeated requests will be roughly linear to the number or rate of requests, at least until the server nears hard resource limits. And normally as soon as the attacker stops sending requests the load at the server will start to decrease. The "beck" author found a problem with Apache which caused the load to increase exponentially, and could stay high even after the attack stopped.

The problem in Apache that this potential attack highlights was the way that Apache processes requests with slash (/) characters in them. When Apache receives requests with /'s in them, it has to parse the request line to identify the path components, and to ensure that the user is not trying to evade directory restrictions by using multiple slash characters in a row. The problem was that the amount of processing that Apache does on a request did not increase linearly with the number of slashes in the request, instead it increased exponentially. So for a line containing ten /'s Apache did 100 times as much processing as for a line containing one /. It should have only done ten times as much. When requests contained very large numbers of slashes Apache would do a huge amount of CPU intensive processing. This is fixed in 1.2.5 and the next 1.3 beta.

For existing users of 1.3 betas, a patch is available.

The Apache code was already being reviewed for "buffer overrun" type security problems when the "beck" attack was announced. The review is part of the ongoing process to try and ensure that Apache is as secure as possible.

Apache is very careful to try and ensure that things like buffer overruns do not occur. For example, when copying strings of possibly unknown length, Apache always specifies a maximum string length to copy. This is to try and prevent attacks which involve sending overlong data to a server, which will overwrite a code area. Potentially an attacker may be able to use this mechanism to write executable data into the code area, then get their code executed.

The code has been updated in previous reviews to try to eliminate buffer overruns, however recently some minor problems were found in two modules in particular: the imagemap module (mod_imap) and the server-side include module (mod_ssi). So a review was performed to analyse both of these modules - as well as the rest of the code - for remaining buffer overrun type bugs. The result of the code review is Apache 1.2.5.

Of course it is never possible to say with absolute certainty that there are no more buffer overrun bugs, but Apache is widely and carefully reviewed by the developers. The availablity of source code gives anyone concerned with security the ability the check the code for themselves, and provides an open review process. The CHANGES file in Apache 1.2.5 and the security advisory both list the bugs found in detail to keep all users informed.

An Apache Security Advisory gives details of all the bugs found, their severity, and the effect if they were exploted.

For the first time, Apache's share of the Netcraft Internet server survey has exceeded 50%. This means it is now used on more internet sites that all other servers combined. The proportion of sites using Apache or a known derivative of Apache is 50.24%, up from 49.90% last month. The proportion of sites running a Microsoft server is 21.51% and Netscape 10.24%. After this news, the Apache developers issued a press release.

Apache Site: www.apache.org
Release: 1.2.5 (Released 5^th January 1998) (local download sites)
Beta: 1.3b3 (Released 20^th November 1997) (local download sites)

Apache 1.2.5 is the current stable release. Users of Apache 1.2.4 and earlier should upgrade to this version. The next release will be 1.3. A beta test release of 1.3 is available now for both Unix and Windows 95/NT systems.

These bugs have been found and fixed in 1.3b4.

Because of the major differences between Windows and Unix, these are separated into bugs which affect Windows systems only, and other bugs (which may affect Windows as well). Unix users can ignore the bugs listed in the Windows section.

Windows-specific Bugs

• ISAPI extensions would crash if called from a "release" compilation of Apache. This seems to be due to a bug in the Visual C++ optimiser. The work-around implemented in Apache is to turn off the optimisation for one function. The rest of Apache is still fully optimised.
• The multithreading code in Apache has been overhauled to make it work better and to be easier to maintain. Shutdowns are now "graceful", which means that connections in progress are not immediately dropped.
• When running a CGI program, Apache could try to run an executable program as a script. It now checks for executables the proper way, by looking for the special signature that occurs at the start of all executables.

Other Bugs

• Microsoft Internet Explorer 4 might report "Could not complete operation due to error 800c0008". This was caused by a bug in Apache when sending out data in "chunked" format, as defined in HTTP/1.1. It only affects modules which send data a character at a time (using the rputc() API function call). Most modules included with Apache do not use this call, but some third party modules do. This error was typically seen on pages served by PHP. This bug also affects 1.2.5.
• Related to the above bug, the sending of documents which are fed a character at a time from modules has been made much more efficient.
• A negotation type-map file containing an unterminated quoted string could cause a core dump
• Incorrect syntax in SSI commands could cause the wrong error message (or no error message at all) to be logged.
• An AddIconByType directive without a trailing ) would not log an error
• The Apache API function ap_snprintf() when given a length parameter of 0 would assume the destination string was unlimited. It now does not write anything to the destination buffer.
• The calculation of the total number of bytes sent may be wrong.
• Proxy authentication using digest authentication does not work
• Internal structures based on "tables" (such as lists of headers and environment variables) may not work correctly when there are two entries with the same key value.
• If the argument to AuthName included double-quotes, Apache would send an invalid header to the client. From the next release, the argument to AuthName will be treated like other directive arguments - in particular, if it contains spaces it must be enclosed in double quotes.
• The CGI environment variable REQUEST_URI was not being passed on to scripts invoked via suEXEC.
• Various OS/2 updates and fixes
• Update to MPE port

Patches for bugs in Apache 1.2.5 may be made available in the apply to 1.2.5 directory on the Apache site. Some new features and other unofficial patches are available in the 1.2 patches directory. For details of all previously reported bugs, see the Apache bug database and known bugs pages. Also many common configuration questions are answered in the Apache FAQ.

Development has slowed down to prepare for the release of Apache 1.3. During the beta release cycle Apache is in a "feature freeze" where no new features will be added. The only changes from now on will be bug-fixes.

A program to convert IP address in log files into host names will be available with the next beta release. There is already a C program to do this, called logresolve.c, in the src/support directory. The new program does essentially the same thing, but is written in perl and designed to be fast and efficient. It will be available in src/support/logresolve.pl.

A new library has been created during the build process, containing various utility functions. Most of these functions are available to modules via the Apache module API. In addition, support programs will be able to link against this library to get access to these functions. This library is stored in the ap sub-directory of src, and is called libap.

The Netcraft survey figures were reported on at least two sites:

• Apache Server Still the King at internetnews.com
• Apache Servers Pass 50% in Web Server Survey at CNN.COM

On a different subject, Internet World report that At Last: Apache Runs on Windows (Dec 24). They report on the recent Apache 1.3 beta for NT, in source code format. Unlike most NT reviews, they were happy to compile from source and install from the command line, although they did note the lack of a graphic administration interface.