12 Mar 2004 17:06
Apache Week issue 343
Apache Week <apacheweek <at> redhat.com>
2004-03-12 16:06:36 GMT
2004-03-12 16:06:36 GMT
APACHE WEEK
The essential weekly guide for users of the world's most popular Web server.
Issue 343: 12th March 2004
In this issue
* Security Reports
* Under development
* Apache Conferences
* Featured articles
Security Reports
Over the last few weeks a number of minor security vulnerabilities
that affect the Apache HTTP server have become known to the public.
New releases that contain fixes to these issues are expected to be
made available soon.
CAN-2004-0113: mod_ssl memory leak leads to DoS
A memory leak was found in the mod_ssl module included in Apache
2.0. By sending plain HTTP requests to the SSL port, an attacker
can cause Apache to consume increasing amounts of memory which can
lead to a denial of service.
This issue was reported to the public Apache bugzilla database
([1]BZ#27106) on 20th February 2004. The Common Vulnerabilities and
Exposures project has assigned the name [2]CAN-2004-0113 to this
issue. A [3]fix for this issue has been committed to the CVS tree
and will be included in the next release.
CAN-2003-0993: Allow/Deny parsing on big-endian 64-bit platforms
A bug in the parsing of Allow and Deny rules using IP addresses
without a netmask on big-endian 64-bit platforms causes the rules
to fail to match. This could be an issue to sites that rely on
these directives for access control to particular resources, as for
an example the directive Deny from 192.168. would never match.
Fortunately this issue only affects the few big-endian 64-bit
platforms such as sparc64 and powerpc64. This issue only affects
Apache 1.3
The issue was reported to the public Apache bugzilla database
([4]BZ#23850) on 15th October 2003. The Common Vulnerabilities and
Exposures project has assigned the name [5]CAN-2003-0993 to this
issue. A [6]fix for this issue has been committed to the CVS tree
and will be available in the next release.
CAN-2004-0173: Cygwin directory traversal
A bug was found in the encoding enforcements which affects Apache
1.3 and 2.0 when run on the Cygwin platform. A remote attacker can
send maliciously constructed requests using .. (dot dot) sequences
containing encoded backslash characters. These requests can cause
Apache to return any file on the system, including files outside of
the document root.
The issue was reported to the public Apache bugzilla database
([7]BZ#26152) on 15th January 2004. The Common Vulnerabilities and
Exposures project has assigned the name [8]CAN-2004-0173 to this
issue. A fix for this issue will be available in the next releases.
Cookie path restrictions easily bypassed
When sending a cookie to a client you can specify a path
restriction (the path attribute in a Set-Cookie header). A client
should then be reasonably expected to only send that Cookie back to
the server when requesting a resource under that path.
It was [9]reported this week this week that a number of clients
could be fooled into sending Cookies that had a path attribute to
different paths on the same server by using directory traversal
techniques.
For an illustration of this issue let us assume that we are using
the Apache web server and that under our document root we have two
directories, /tony/ and /gordon/. When visiting
http://myhost/tony/, some server application returns a Set-Cookie
header with a /tony/ Path attribute.
Set-Cookie: Password=nibbles; Path=/tony/
Now, when the browser visits http://myhost/tony/ again, the browser
will send the Cookie to the server. However, if the browser visits
http://myhost/gordon/, no Cookie will be sent. This is the expected
behaviour
Apache will traverse directory paths found in requests, so a
request for /gordon/../tony/ will be treated the same as a request
for /tony/. By encoding this traversal (a "." becomes "%2e") you
can fool most browsers. So with a vulnerable browser, visiting
http://myhost/tony/%2e%2e/gordon/ will actually return the /gordon/
subdirectory but the browser has been tricked into sending the
restricted Cookie. This allows Gordon to steal Tony's cookies.
Some of the open-source web browsers including Mozilla and KDE
Konqueror included a fix for this issue back in the Summer of 2003;
they simply look for attempts at directory traversal and block
sending Cookies, however not all the popular browsers will do so.
It was suggested that to solve this problem Apache should change
its behaviour and not allow directory traversal at all, but in
reality this would only solve part of the problem. Cookie path
restrictions are just as easily circumvented by browsers that allow
multiple frames and JavaScript, for example.
So the conclusion is that there are a number of ways in which
Cookie path restrictions can be circumvented, and not all of them
can be easily fixed. Therefore application developers should be
aware of this and not assume that the Cookie path restrictions are
enforced.
Under development
Version 2.0 of the Apache License was approved for use by the
Apache Software Foundation board earlier this year, and is now
starting to be being applied to new releases of ASF software. The
[10]new license has significant changes from [11]Version 1.1, which
has been in use since 2000; notably coverage of patent issues.
Compatibility of the new license with the GPL proved to be a
contentious and particularly complicated legal issue and is yet to
be resolved; as [12]described here.
Preparations are underway for a new release from the 2.0 tree;
version 2.0.49 will follow up on the October 2003 release of
2.0.48. Seventy five changes are documented for the new version: of
note is the inclusion of André Malo's rewrite of the mod_include
parser and fixes for several problems in handling of piped logging
programs. A number of mod_ssl issues are also fixed, along with two
regressions in 2.0.48 in mod_autoindex and mod_usertrack. The first
release candidate tarballs received good feedback from testing;
release manager [13]Sander Striker proposed to roll second
candidates with some fixes for BeOS and the documentation.
There was some discussion about the status of 2.0's thread-based
worker MPM on FreeBSD; it was known that with the improvements to
the thread libraries in FreeBSD 5.2 and later, the worker MPM can
operate correctly. Further testing of worker still showed serious
issues when running on the FreeBSD 4.x -STABLE branch; users on
such platforms are recommended to stay with the default prefork
MPM.
Apache Conferences
O'Reilly Open Source Convention 2004
It's cold, wet, and windy in the UK right now; so what better than
to look forward to a summer in Portland, Oregon, host of the
O'Reilly Open Source Convention. This year the conference runs from
July 26-30 with many tracks of interest to Apache users. Conference
registration isn't open yet, but mark the date in your diary and
visit the [14]the conference web site for more details.
Featured articles
In this section we highlight some of the articles on the web that
are of interest to Apache users.
Rich Bowen is back, and he's enabling and disabling Apache Modules
in another [15]"A Day in the Life of #Apache". The article examines
why modules are enabled by default and how to tell which you can
safely disable.
The Devx.com article [16]"Armoring Apache HTTP Server with SSL" is
designed to lead you step-by-step to enabling encryption on your
Apache server.
Blane Warrene discusses how to [17]"Configure Web Logs in Apache"
including ways to use the CustomLog directive and how to do log
rotation.
______________________________________________________________
This issue brought to you by: Mark J Cox, Joe Orton
Comments or criticisms? Please email us at
[18]editors <at> apacheweek.com.
[19]Apache Week is Copyright 2004 [20]Red Hat, Inc.
References
1. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27106
2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0113
3. http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.100.2.11&r2=1.100.2.12
4. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23850
5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993
6. http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_access.c?r1=1.46&r2=1.47
7. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152
8. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0173
9. http://www.uniras.gov.uk/l1/l2/l3/brief2004/brief-11404.txt
10. http://www.apache.org/licenses/LICENSE-2.0.html
11. http://www.apache.org/licenses/LICENSE-1.1
12. http://www.apache.org/licenses/GPL-compatibility.html
13. http://httpd.apache.org/contributors/#striker
14. http://conferences.oreilly.com/os2004/
15. http://www.onlamp.com/pub/a/apache/2004/02/26/apacheckbk.html
16. http://www.devx.com/opensource/Article/20085
17. http://www.sitepoint.com/article/configuring-web-logs-apache
18. mailto:editors <at> apacheweek.com
19. http://www.apacheweek.com/
20. http://www.redhat.com/
----------------------------------------------------------------------
To unsubscribe visit https://www.redhat.com/mailman/listinfo/apacheweek
or send the message "unsubscribe" to apacheweek-request <at> redhat.com
----------------------------------------------------------------------
RSS Feed