In this issue

Apache 1.3.28 was released on 18^th July 2003 and is now the latest version of the Apache 1.3 server. The previous release was 1.3.27, released on the 3^rd October 2002. See what was new in Apache 1.3.27.

Apache 1.3.28 is available for download

This is a security, bug fix and minor upgrade release. Due to security issues, any sites using versions of Apache 1.3 prior to Apache 1.3.28 should upgrade to Apache 1.3.28; the security issues fixed in this release are covered in the Security Reports section below. Read more about the other security issues that affect Apache 1.3.

The main new features added since 1.3.27:

• Win32: the build system can now produce pdb files for debugging purposes
• mod_auth_digest will use the arc4random interface on OpenBSD
• mod_setenvif defines a new SERVER_ADDR environment variable, giving the IP address on which the request was received

The following bugs have been fixed in 1.3.28:

• mod_rewrite: fix handling of absolute URIs and paths on non-Unix systems; allow RewriteEngine Off regardless of Options settings; prevent infinite loops in redirects (BZ#12902, BZ#12395, BZ#17452)
• Platform-specific changes: fix loading modules written in C++ on HP-UX; choose a safer default accept locking mechanism on AIX; fix suexec compilation on SunOS 4 (PR#5913, BZ#9977)
• The original query string is appended to the redirect destination when a Redirect configured in directory context
• Fixes for potential buffer overflows or crashes in htdigest and ab (BZ#21085)
• Performance fix: prevent the server from being limited to serving one CGI request every 3 seconds per persistent connection (BZ#6961, BZ#8664)

Last week, new security issues were announced that affect version 1.3 of the Apache HTTP server; these issues were fixed in the 1.3.28 release.

• The rotatelogs support program on Win32 and OS/2 would quit logging and exit if it received special control characters such as 0x1A.

  This issue was originally discovered by the Hitachi Incident Response team and reported to the Apache security team on July 4th 2003. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0460 to this issue.

• It is possible to get Apache 1.3 to get into an infinite loop handling internal redirects and nested subrequests. A patch for this issue appears in Apache 1.3.28 which adds a new LimitInternalRecursion directive.

• There were some leaks of file descriptors to child processes spawned by third-party modules.

More details of security issues that affect Apache 1.3 are available

Over the last few weeks we've been receiving a number of reports where people running Apache servers have found that their servers have been used to send out Spam email messages.

It appears that the Spammers are using an automated tool to find open Apache proxies. If the tool finds an open proxy on your machine it sends a POST request through the proxy to the local SMTP port (25), passing on the spam messages it wishes to send. Since most people will have set up their mail transfer agent to allow relaying of mail sent from the local host, the messages get sent out from your machine.

Some of the reporters believe that this is a vulnerability of the Apache web server by allowing proxy connections to arbitrary ports. However the majority of sites that run open Apache proxies are doing so because of a misconfiguration rather than by design. Open proxies allow attackers wanting to target vulnerabilities at other sites (such as Cross site scripting attacks, SQL injection attacks and so on) to hide or complicate their real origin.

If you are running the Apache web server we'd recommend that you take a look at your configuration files and make sure that you have not inadvertently set up an open proxy.

If you do not need to act as a proxy server at all then make sure that the directive "ProxyRequests On" does not appear in your configuration file. Note that you do not need to use the ProxyRequests directive if you only want to use Apache as a reverse proxy.

However if you do need to act as a proxy server, make sure that you only allow authorised hosts to connect. For example using the following configuration sample:

<Directory proxy:*>
Order deny,allow
Deny from all
Allow from fred.example.com
</Directory>

A couple of bugs in the mod_include filtering logic in 2.0 have been under investigation for a few weeks; the relevant fixes have now been identified and checked in after the problems were narrowed down to specific test cases.

A bug introduced in the 1.3.28 release was tracked down by users a few days after the announcement; BZ#21737 describes how CGI scripts run under suexec may be left as "zombie" processes. The bug report includes a patch which has been reported to fix the problem.

There was discussion of a patch which would allow modules to implement UDP-based protocols in the 2.1 tree, following the announcement of a module produced by the Globule Project as part of a content replication system. There was interest in supporting such protocols but no decisions were made on exactly how to do so.

In this section we highlight some of the articles on the web that are of interest to Apache users.

"Integrating mod_perl with Apache 2.1 Authentication" covers how to support the new authentication provider API in Apache 2.1 and Digest authentication through mod_perl 2.0 by walking you through the source code of a few modules. It also talks about how Digest authentication over HTTP works.

In the April 2003 issue of Linux Magazine, "PHP Caching and Optimization" lays the groundwork for a look at three PHP add-ons that will improve the performance of PHP web applications in upcoming issues. It summarises the way Apache processes requests for a PHP-based application into six steps and then explains the various optimisations that could be done at some of the steps.

In this tutorial, Martin Brown shows you how to use the Perl Framework component of the Apache HTTP Test Project to ensure that your Apache configuration and modules are working correctly. First, it points out the various situations where you would need to test an existing Apache setup that is running well. Then it guides you through the steps of installing the Framework, executing the tests, and ends with a brief note on how to locate the cause of a problem.