In this issue

The new mod_logio module included in the Apache 2.0.43 release was under discussion this week. The purpose of this module is to allow logging the number of bytes sent or received per request; this is achieved by adding new format string specifiers %I and %O which can be used in CustomLog or LogFormat directives. These new specifiers are only available when mod_logio is loaded. It was discovered that under some circumstances, when a connection was aborted and not all of the response sent, the number of bytes logged was not accurate. After the best way to fix this had been determined, a patch was committed for the next release.

An otherwise quiet week on the development list brought an announcement from ASF Director Roy Fielding on whether it was possible to distribute binary builds of Apache which include SSL support from the www.apache.org server, which is located in the US. The decision was that it was not desirable to distribute SSL-enabled binaries from www.apache.org. This was more for practical reasons than legal ones, as it would require redistributing OpenSSL sources from the same location, and going through the notification process required by the US Government for those distributing cryptography software.

A cross-site scripting vulnerability in mod_ssl was announced this week, which affects versions of mod_ssl earlier than 2.8.12. If a plain HTTP request is mistakenly sent to an SSL-enabled port, mod_ssl sends a custom error response message redirecting the user to the correct port. This error response contains the server name in unescaped HTML.

Like the other recent Apache cross-site scripting bugs, this only affects servers using a combination of UseCanonicalName off (which is not the default in 1.3) and wildcard DNS. If an attacker is able to exploit the bug, they may be able to steal cookies or other sensitive user information from the browser. The version of mod_ssl included in Apache 2.0 is not vulnerable to this issue.

In this section we highlight some of the articles on the web that are of interest to Apache users.

"Apache Log Analysis Using Python" shows you how to use Python to extract data from the Apache's access_log file. It first presents a framework for analysing generic text files using Python, then goes on to demonstrate how to use the framework to glean information about returning visitors and referring domains. The source code files are available for download.

Linux Journal provides an excerpt from the book "Multitool Linux" on how to build a secure webmail service which supports IMAP and SSL. It walks you through the steps of setting up an IMAP server, building a mod_ssl and PHP4 enabled Apache web server, installing Aeromail which is the webmail package used, and testing the whole implementation. It also lists other webmail packages which you may use instead of Aeromail.

"Spam-Proofing Your Website" describes a few methods to lessen the amount of Spam you receive due to providing your email address on your website to allow people to to contact you. It examines the possible ways that spammers use to obtain your email address. Then it looks at how you can use JavaScript to hide your email address on your website and the disadvantages of using this technique. You can also provide a web form for users to contact you or use URL-rewriting to redirect known spambots to another page.

The Developer Shed ends the "The Art Of Software Development" series on Web applications with the fifth and final installment entitled "Adding Value". It explains the activities in the post-release phase which include selling additional services such as technical support and training to the users, securing a software maintenance contract, and auditing the whole project to improve the estimates, implementation, and quality control of future projects.