The new mod_logio module included in the Apache 2.0.43 release
was under discussion this week. The purpose of this module is to allow
logging the number of bytes sent or received per request; this is
achieved by adding new format string specifiers %I and
%O which can be used in CustomLog
or LogFormat directives. These new specifiers
are only available when mod_logio is loaded. It was
discovered that under some circumstances, when a connection was
aborted and not all of the response sent, the number of bytes
logged was not accurate. After
the best way to fix this had been determined, a patch was committed
for the next release.
An otherwise quiet week on the development list brought an
announcement from ASF Director Roy Fielding on whether it was possible
to distribute binary builds of Apache which include SSL support from
the www.apache.org server, which is located in the US. The decision
was that it was not desirable to distribute SSL-enabled binaries from
www.apache.org. This was more for practical reasons than legal ones,
as it would require redistributing OpenSSL sources from the same
location, and going through the notification process required by the
US Government for those distributing cryptography software.
A cross-site scripting vulnerability in mod_ssl
was announced this week, which affects versions of
mod_ssl earlier than 2.8.12. If a plain HTTP request
is mistakenly sent to an SSL-enabled port, mod_ssl
sends a custom error response message redirecting the user to the
correct port. This error response contains the server name in
Like the other recent Apache
cross-site scripting bugs, this only affects servers using a
combination of UseCanonicalName off (which is not the
default in 1.3) and wildcard DNS. If an attacker is able to exploit
the bug, they may be able to steal cookies or other sensitive user
information from the browser. The version of mod_ssl included in
Apache 2.0 is not vulnerable to this issue.
In this section we highlight some of the articles on the web that are of
interest to Apache users.
"Apache Log Analysis Using Python"
shows you how to use Python to extract data from the Apache's
access_log file. It first presents a framework for analysing generic text files
using Python, then goes on to demonstrate how to use the framework
to glean information about returning visitors and referring domains.
The source code files are available for download.
Linux Journal provides an
from the book "Multitool Linux" on how to build a secure webmail
service which supports IMAP and SSL. It walks you through the steps
of setting up an IMAP server, building a mod_ssl
and PHP4 enabled Apache web server, installing
Aeromail which is the webmail package used, and testing the whole
implementation. It also lists other webmail packages which you may
use instead of Aeromail.
"Spam-Proofing Your Website"
describes a few methods to lessen the amount of Spam you receive
due to providing your email address on your website to allow people to
to contact you. It examines the possible ways that
spammers use to obtain your email address. Then it looks at how
the disadvantages of using this technique. You can also provide a web
form for users to contact you or use URL-rewriting to redirect known
spambots to another page.
The Developer Shed ends the "The Art Of Software Development" series
on Web applications with the fifth and final installment entitled
It explains the activities in the post-release phase which include
selling additional services such as technical support and training to the
users, securing a software maintenance contract, and auditing the
whole project to improve the estimates, implementation, and quality
control of future projects.