The Apache development list this week contains a fix for a
security issue that affects previous versions of Apache,
including Apache 1.3.12. Apache is only vulnerable if you use
mod_rewrite and a specific case of the directive
RewriteRule. If the result of a RewriteRule is a
filename that contains regular expression references then an
attacker may be able to access any file on the web server.
Here are some example RewriteRule directives. The first is
vulnerable, but the others are not
RewriteRule /test/(.*) /usr/local/data/test-stuff/$1
RewriteRule /more-icons/(.*) /icons/$1
RewriteRule /go/(.*) http://www.apacheweek.com/$1
The patch is currently being tested and will be part of the
release of Apache 1.3.13. Until then, users should check
their configuration files and not use rules that map to a
filename such as the first example above.
If you've been to one of the Apache conferences you'll
probably have picked up a selection of Apache-related
goodies. If you don't yet have anything with the cool
official Apache feather logo why not buy a new T-Shirt,
"Apache Software Foundation: Mirrored" from Copyleft.
US$4 gets donated to the ASF for every shirt sold too. If you
want Apache-related goodies for free`<, why not register
for ApacheCon 2000 in
Europe next month?
This week, the articles on the web that we highlight here are
of interest especially to new Apache users. The Developer
Shed shows beginners how to build your very own
dream Apache web server. It gives a very comprehensive
account of Apache's background including its birth before
proceeding to three different scenarios for building a
customized Apache Web Server.
Linux Magazine on the other hand has an article
by Craig Knudsen for users new to PHP. It includes the
history of PHP from PHP/FI to PHP 4.0, and instructions for
building PHP, Apache, and MySQL.
In Feb 1997, (Apacheweek issue
51) we ran an article on how to gather visitor
information by customizing your Apache 1.2 log files. Apache
Today revisited this subject extensively in its "Apache Guide
: Logging with Apache" series for Apache 1.3. In his three
previous articles, Rich Bowen touched on the basics of Apache
logs by looking at the access log, error log, CustomLog and
LogFormat directives. Everyone knows that logs are useless
unless the data in them are interpreted and analyzed in a
meaningful way so in the fourth article, Rich gets into the
crux of the matter -
"Log-File Analysis". Although it is not a step-by-step
tutorial on how to analyze your logs, it does give you a good
idea of the information you can expect from the logs and
points you to four log analysis tools (Analog, WebTrends,
WWWStat and Wusage) that could help you with this task.
Alternatively it suggests that you could use the
Apache::ParseLog module if you are a DIY person.