In this issue

Last week, Apache Week (issue 197) and most of the Internet reported how the apache.org site was compromised. The two hackers known as "{}" and "Hardbeat" owned up straight away and let the Apache Software Foundation know exactly how the system had been exploited, and even went as far as to secure the stable as the horses bolted.

"We were looking for a subtle way to show we had that kind of access, without damaging anything or hindering people in their business at apache.org," said Hardbeat in an interview with Linux News. The pair hoped that the ASF would see this as a well-meaning education rather than a malicious attack. A slightly red-faced Rasmus Lerdorf commented later, "It would have been nice if they hadn't put the damned Microsoft logo up, but I guess they had to do something to get attention."

The attack was possible due to the server being badly configured. Various online publications explained how it was done, but the definitive explanation came from the culprits themselves in their white paper.

This was a friendly tap on the shoulder for the Apache community who may have been enjoying a sense of false security. Last week we showed how to avoid making the same mistakes. If you're a budding hacker, bear in mind that even unauthorised changes to someone else's data can be considered criminal; whether well intentioned or not.

If you missed the fun, a mirror of the site can be found at www.attrition.org, and more in-depth coverage is available from C|Net, Wired, and The Register.

"It's quite embarrassing, but it's a good little heads-up," Lerdorf added.

Thanks to those at satire-rag "Need To Know" for informing us about E-Bay's bargain Apache Server which they're apparently using to run search.ebay.co.uk. Despite the proof they're not actually running Apache at all.

The Developer Shed have released a useful guide to server security in their article, "Webserver Security (Part II)". The article explores the problem of keeping private data in publicly accessible areas of your server and keeping data from untrustworthy sources from entering your system.

Martin Mohnhaupt gives a useful tip on getting Win32 Apache working with FrontPage 2000, by running the Apache and FrontPage servers together and making them share the same document root.

Apache Site: www.apache.org/httpd
Release: 1.3.12 (Released 25^th February 2000) (local download sites)
Beta: None
Alpha: 2.0a3 (Released 28^th April 2000) (local download sites)

Apache 1.3.12 is the current stable release. Users of Apache 1.3.11 and earlier on Unix and Windows systems should upgrade to this version. Read the Guide to 1.3.12, the Guide to 1.3.11 for information about changes between 1.3.9 and 1.3.11 and the Guide to 1.3.9 for information about changes between 1.3.6 and 1.3.9.

Every day at Apache Week we receive many requests to help with individual Apache problems. Whilst we can't respond to every request we are interested to hear about particular problems you are having with Apache so that we can write about the things that more commonly occur. We are equally interested in any success stories you might want to share, how you came across pit falls and what you did to solve them. Mail the editors at editors@apacheweek.com.

The O'Reilly Network recently started an Apache forum where users can request help and talk about their experiences with Apache.