Over the last few weeks a number of minor security
vulnerabilities that affect the Apache HTTP server have become
known to the public. New releases that contain fixes to these
issues are expected to be made available soon.
A memory leak was found in the mod_ssl module included
in Apache 2.0. By sending plain HTTP requests to the SSL port, an
attacker can cause Apache to consume increasing amounts of memory
which can lead to a denial of service.
This issue was reported to the public Apache bugzilla database
(BZ#27106) on 20th February 2004.
The Common Vulnerabilities and Exposures project
has assigned the name
CAN-2004-0113
to this issue.
A fix
for this issue has been committed to the CVS tree and will be
included in the next release.
A bug in the parsing of Allow and
Deny rules using IP addresses
without a netmask on big-endian 64-bit platforms causes the rules to
fail to match. This could be an issue to sites that rely on
these directives for access control to particular resources, as
for an example the directive Deny from 192.168.
would never match.
Fortunately this issue only affects the few big-endian 64-bit
platforms such as sparc64 and powerpc64. This issue only affects
Apache 1.3
The issue was reported to the public Apache bugzilla database
(BZ#23850) on 15th October 2003.
The Common Vulnerabilities and Exposures project
has assigned the name
CAN-2003-0993
to this issue.
A fix
for this issue has been committed to the CVS tree and will be
available in the next release.
A bug was found in the encoding enforcements which affects Apache
1.3 and 2.0 when run on the Cygwin platform. A remote attacker
can send maliciously constructed requests using .. (dot dot) sequences
containing encoded backslash characters. These requests can cause
Apache to return any file on the system, including files outside of
the document root.
The issue was reported to the public Apache bugzilla database
(BZ#26152) on 15th January 2004.
The Common Vulnerabilities and Exposures project
has assigned the name
CAN-2004-0173
to this issue.
A fix for this issue
will be available in the next releases.
When sending a cookie to a client you can specify a path
restriction (the path attribute in a
Set-Cookie header). A client should then be
reasonably expected to only send that Cookie back to the server
when requesting a resource under that path.
It was reported
this week this week that a number of clients could be fooled
into sending Cookies that had a path attribute to different paths
on the same server by using directory traversal techniques.
For an illustration of this issue let us assume that we are
using the Apache web server and that under our document root we
have two directories, /tony/ and
/gordon/. When visiting
http://myhost/tony/, some server application returns
a Set-Cookie header with a /tony/ Path
attribute.
Set-Cookie: Password=nibbles; Path=/tony/
Now, when the browser visits http://myhost/tony/
again, the browser will send the Cookie to the server. However,
if the browser visits http://myhost/gordon/, no Cookie
will be sent. This is the expected behaviour
Apache will traverse directory paths found in requests, so a
request for /gordon/../tony/ will be treated the same
as a request for /tony/. By encoding this
traversal (a "." becomes "%2e") you can fool most browsers. So
with a vulnerable browser, visiting
http://myhost/tony/%2e%2e/gordon/ will actually return
the /gordon/ subdirectory but the browser has been
tricked into sending the restricted Cookie. This allows Gordon
to steal Tony's cookies.
Some of the open-source web browsers including Mozilla and KDE
Konqueror included a fix for this issue back in the Summer of
2003; they simply look for attempts at directory traversal and
block sending Cookies, however not all the popular browsers will
do so.
It was suggested that to solve this problem Apache should
change its behaviour and not allow directory traversal at all, but
in reality this would only solve part of the problem.
Cookie path restrictions are just as easily
circumvented by browsers that allow multiple frames and
JavaScript, for example.
So the conclusion is that there are a number of ways in which
Cookie path restrictions can be circumvented, and not all of them
can be easily fixed. Therefore application developers should be
aware of this and not assume that the Cookie path restrictions are
enforced.
Version 2.0 of the Apache License was approved for use by the
Apache Software Foundation board earlier this year, and is now
starting to be being applied to new releases of ASF software.
The new
license has significant changes from Version
1.1, which has been in use since 2000; notably coverage of
patent issues. Compatibility of the new license with the GPL
proved to be a contentious and particularly complicated legal
issue and is yet to be resolved; as described
here.
Preparations are underway for a new release from the 2.0
tree; version 2.0.49 will follow up on the October 2003 release
of 2.0.48. Seventy five changes are documented for the new
version: of note is the inclusion of André Malo's rewrite of the
mod_include parser and fixes for several
problems in handling of piped logging programs. A number of
mod_ssl issues are also fixed, along with two
regressions in 2.0.48 in mod_autoindex and
mod_usertrack. The first release candidate
tarballs received good feedback from testing; release manager
Sander Striker proposed to
roll second candidates with some fixes for BeOS and the
documentation.
There was some discussion about the status of 2.0's
thread-based worker MPM on FreeBSD; it was known that
with the improvements to the thread libraries in FreeBSD 5.2 and
later, the worker MPM can operate correctly. Further testing of
worker still showed serious issues when running on the
FreeBSD 4.x -STABLE branch; users on such platforms are
recommended to stay with the default prefork MPM.
It's cold, wet, and windy in the UK right now; so what better
than to look forward to a summer in Portland, Oregon, host of the
O'Reilly Open Source Convention. This year the conference runs
from July 26-30 with many tracks of interest to Apache users.
Conference registration isn't open yet, but mark the date in
your diary and visit the the conference web site for more details.
In this section we highlight some of the articles on the web
that are of interest to Apache users.
Rich Bowen is back, and he's enabling and disabling Apache
Modules in another "A
Day in the Life of #Apache". The article examines why modules
are enabled by default and how to tell which you can safely
disable.
The Devx.com article "Armoring
Apache HTTP Server with SSL" is designed to lead you
step-by-step to enabling encryption on your Apache server.
Blane Warrene discusses how to "Configure
Web Logs in Apache" including ways to use the
CustomLog directive and how to do log
rotation.