In this issue

A configuration issue for users migrating from Apache 1.3 to 2.0 which even took the founder of the PHP project by surprise was the change to PATH_INFO handling. In 1.3, PATH_INFO is enabled by default, so a PHP script /script.php will be invoked if a request is made to the location /script.php/foo/bar, passing a PATH_INFO of /foo/bar to the script. The AcceptPathInfo directive was added in 2.0, which currently must be explicitly enabled for PHP scripts, otherwise a 404 response will be returned. The developers discussed ways to allow the PHP module to internally enable PATH_INFO support, removing the need for AcceptPathInfo to be configured in this case.

Another 1.3 to 2.0 migration issue arose this week and proved somewhat controversial: the port number placed in the default httpd.conf of a new Apache installation. In Apache 1.3, the port number will be 80 if Apache is built by the root user, and 8080 otherwise. This behaviour was dropped in 2.0, and the default httpd.conf always uses port 80. For both versions, the --with-port=num option can be passed to ./configure, to override the logic and pick a specific port.

Three weeks ago we covered the details of the Chunked encoding vulnerability. This vulnerability allows a remote attacker to run arbitrary code on your server depending on your platform (CVE-2002-0392). This week, Robin Miller at Newsforge reports that many Apache servers running FrontPage extensions may still be exposed to this vulnerability because a FrontPage version that works with the patched versions of Apache has yet to be released.

Users of Apache 1.2 through 1.3.23 who are for whatever reason not able to upgrade to the latest release can still protect themselves against this vulnerability by applying a source code patch.

In this section we highlight some of the articles on the web that are of interest to Apache users.

In "Open-Source Enterprise", eWeek examines the question of where and how much open-source software such as the Apache Web server should be deployed in the enterprise. Before taking the plunge, IT managers should at least consider these six questions. Meanwhile, "Open Source Gets IT Scrutiny" looks at how two enterprises namely Visa International Inc. and Edmunds.com Inc. evaluate open-source applications.

Linux Magazine reviews 9 useful Unix tools in "9 Power Tools Are Enough". This list includes Apache Toolbox which enables you to easily compile Apache with third-party modules.

"Why Application Servers Crash and How to Avoid It" uses queuing theory to analyse various circumstances that caused web sites to crash. It also provides some guidelines for implementing a robust web application system.

We received just under 600 entries to our recent competition, although 2 of those were spam which goes to show how quickly email address harvesting robots get to work on a site. The right answer was of course "Gobbles". Congratulations to the two lucky winners chosen at random; Jyhming Tsai (New York) and Michael Moe (Missouri) - your books are in the post.

Read the Apache Week review of Professional Apache 2.0 and look out for more book competitions and reviews coming soon