In this issue

Apache 2.0 performance was again the hot topic on the development list this week as some detailed results of profiling httpd on AIX were sent in by IBM hacker Bill Stoddard. Several areas of code were targetted for optimisation after some analysis of the results; of particular note was the request header parsing loops which copied input data and used several temporary memory allocations. The discussion led to several optimisations being checked-in, with more pending.

One of the changes included in Apache 1.3.26 has caused a few surprises as parsing of the HTTP request line in Apache has become stricter; now rejecting some illegal requests which earlier versions accepted. Any client applications which were generating illegal request lines and getting away with it will find that when taking to Apache 1.3.26 a 400 Illegal Request error response will be returned. An example of an illegal request line would be to include an unescaped space character in the URI. Consensus on the list was that the code should be reverted to the previous behaviour, following the IETF maxim: "be liberal in what you accept".

Those of you who prefer tinkering with Apache to playing the latest Playstation game may be interested in Chris Taylor's announcement of a binary build of Apache 2.0.39 for PS/2 Linux installations.

Two weeks ago we covered the details of the Chunked encoding vulnerability. This vulnerability allows a remote attacker to run arbitrary code on your server depending on your platform. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2002-0392 to this issue.

We strongly suggest that all users of Apache update their distributions to 1.3.26 or 2.0.39 or apply this patch to existing installations.

Over the last week various reports about an "Apache Worm" have surfaced. The worm currently seems to be fairly benign, focussing its attention on some FreeBSD systems only. Here are some of the news articles that covered the Apache worm:

• "New Apache worm starts to spread" by Robert Lemos at CNET News.com
• "Worm Exploits Apache Flaw" by Michael Chait at InternetNews.com
• "Apache worm picks up first scalp" by James Middleton at vnunet.com
• "Apache worm barely squirms" by Robert Lemos at CNET News.com
• "Worm exploits Apache vulnerability on FreeBSD" at ComputerWeekly CW360
• "Apache worm loose on the Net" at smh.com.au (The Sydney Morning Herald)
• "IIS and Apache flaws leave web wide open" by Rene Millman at vnunet.com
• "How we could have prevented an Apache worm" by Robert Vamosi at ZDNet Reviews
• "Apache worm spotted on real-time honeypot systems" by Domas Mituzas

In this section we highlight some of the articles on the web that are of interest to Apache users.

Web Developer's Virtual Library provides chapter 6 ("Security and users") of the book, "Web Development with Apache and Perl" by Theo Petersen in a few online installments for your perusal. Part I covers the basics of Secure Sockets Layer (SSL) and certificates, the steps to install OpenSSL and mod_ssl with Apache, and the steps to configure and test that your SSL-enabled Apache is working. Then Part II continues with setting up user authentication, and writing your own login page. There are still two more subsections on user management and login sessions to go before wrapping up this chapter.

Other reviews on the above book are available at Linux Journal, Perl Monks, and MetroWest Perl Mongers. Interested to read more? Then you can download two sample chapters from its companion website.

Our colleagues at Wrox Press have given us two copies of their book "Professional Apache 2.0" to give away.

Written by Apache Week reader and space tourism evangelist Peter Wainwright, the book covers all aspects of serving web sites using the Apache 2.0 web server. Read our comprehensive review all about it.

If you have not already entered for a chance to get your hands a copy of the book, answer this simple question:

Which one of the following is the name of the security group that posted the first working exploit for the Apache chunked encoding vulnerability?
A) GRUMBLES, B) GOBBLES, or C) GURGLES

Send your answer to googles@apacheweek.com to reach us no later than July 10th 2002. Your email address will not be used for anything other than to let you know if you are a lucky winner. Two winners will be drawn at random from all correct entries submitted, One entry per person, no cash alternative.