Apache Week | 12 Mar 17:06 2004

Apache Week issue 343

                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                         Issue 343: 12th March 2004

                                 In this issue

     * Security Reports
     * Under development
     * Apache Conferences
     * Featured articles

                               Security Reports

     Over  the last few weeks a number of minor security vulnerabilities
     that affect the Apache HTTP server have become known to the public.
     New  releases that contain fixes to these issues are expected to be
     made available soon.

CAN-2004-0113: mod_ssl memory leak leads to DoS

     A  memory  leak  was found in the mod_ssl module included in Apache
     2.0.  By  sending  plain HTTP requests to the SSL port, an attacker
     can  cause Apache to consume increasing amounts of memory which can
     lead to a denial of service.

     This  issue  was  reported  to  the public Apache bugzilla database
     ([1]BZ#27106) on 20th February 2004. The Common Vulnerabilities and
     Exposures  project  has  assigned the name [2]CAN-2004-0113 to this
     issue.  A  [3]fix for this issue has been committed to the CVS tree
     and will be included in the next release.

CAN-2003-0993: Allow/Deny parsing on big-endian 64-bit platforms

     A  bug  in  the  parsing of Allow and Deny rules using IP addresses
     without  a  netmask on big-endian 64-bit platforms causes the rules
     to  fail  to  match.  This  could be an issue to sites that rely on
     these directives for access control to particular resources, as for
     an example the directive Deny from 192.168. would never match.

     Fortunately  this  issue  only  affects  the  few big-endian 64-bit
     platforms  such  as  sparc64 and powerpc64. This issue only affects
     Apache 1.3

     The  issue  was  reported  to  the  public Apache bugzilla database
     ([4]BZ#23850)  on 15th October 2003. The Common Vulnerabilities and
     Exposures  project  has  assigned the name [5]CAN-2003-0993 to this
     issue.  A  [6]fix for this issue has been committed to the CVS tree
     and will be available in the next release.

CAN-2004-0173: Cygwin directory traversal

     A  bug  was found in the encoding enforcements which affects Apache
     1.3  and 2.0 when run on the Cygwin platform. A remote attacker can
     send  maliciously constructed requests using .. (dot dot) sequences
     containing  encoded  backslash characters. These requests can cause
     Apache to return any file on the system, including files outside of
     the document root.

     The  issue  was  reported  to  the  public Apache bugzilla database
     ([7]BZ#26152)  on 15th January 2004. The Common Vulnerabilities and
     Exposures  project  has  assigned the name [8]CAN-2004-0173 to this
     issue. A fix for this issue will be available in the next releases.

Cookie path restrictions easily bypassed

     When  sending  a  cookie  to  a  client  you  can  specify  a  path
     restriction  (the  path attribute in a Set-Cookie header). A client
     should then be reasonably expected to only send that Cookie back to
     the server when requesting a resource under that path.

     It  was  [9]reported  this  week this week that a number of clients
     could  be  fooled into sending Cookies that had a path attribute to
     different  paths  on  the  same server by using directory traversal

     For  an  illustration of this issue let us assume that we are using
     the  Apache web server and that under our document root we have two
     directories,     /tony/     and     /gordon/.     When     visiting
     http://myhost/tony/,  some  server application returns a Set-Cookie
     header with a /tony/ Path attribute.

Set-Cookie: Password=nibbles; Path=/tony/

     Now, when the browser visits http://myhost/tony/ again, the browser
     will  send the Cookie to the server. However, if the browser visits
     http://myhost/gordon/, no Cookie will be sent. This is the expected

     Apache  will  traverse  directory  paths  found  in  requests, so a
     request  for /gordon/../tony/ will be treated the same as a request
     for  /tony/.  By  encoding this traversal (a "." becomes "%2e") you
     can  fool  most  browsers.  So  with a vulnerable browser, visiting
     http://myhost/tony/%2e%2e/gordon/ will actually return the /gordon/
     subdirectory  but  the  browser  has  been tricked into sending the
     restricted Cookie. This allows Gordon to steal Tony's cookies.

     Some  of  the  open-source  web  browsers including Mozilla and KDE
     Konqueror included a fix for this issue back in the Summer of 2003;
     they  simply  look  for  attempts  at directory traversal and block
     sending Cookies, however not all the popular browsers will do so.

     It  was  suggested  that to solve this problem Apache should change
     its  behaviour  and  not  allow  directory traversal at all, but in
     reality  this  would  only  solve  part of the problem. Cookie path
     restrictions are just as easily circumvented by browsers that allow
     multiple frames and JavaScript, for example.

     So  the  conclusion  is  that  there  are a number of ways in which
     Cookie  path  restrictions can be circumvented, and not all of them
     can  be  easily  fixed.  Therefore application developers should be
     aware  of this and not assume that the Cookie path restrictions are

                               Under development

     Version  2.0  of  the  Apache  License  was approved for use by the
     Apache  Software  Foundation  board  earlier  this year, and is now
     starting  to  be being applied to new releases of ASF software. The
     [10]new license has significant changes from [11]Version 1.1, which
     has  been  in  use  since  2000; notably coverage of patent issues.
     Compatibility  of  the  new  license  with  the  GPL proved to be a
     contentious  and particularly complicated legal issue and is yet to
     be resolved; as [12]described here.

     Preparations  are  underway  for  a  new release from the 2.0 tree;
     version  2.0.49  will  follow  up  on  the  October 2003 release of
     2.0.48. Seventy five changes are documented for the new version: of
     note  is  the  inclusion of André Malo's rewrite of the mod_include
     parser  and fixes for several problems in handling of piped logging
     programs. A number of mod_ssl issues are also fixed, along with two
     regressions in 2.0.48 in mod_autoindex and mod_usertrack. The first
     release  candidate  tarballs  received  good feedback from testing;
     release   manager   [13]Sander  Striker  proposed  to  roll  second
     candidates with some fixes for BeOS and the documentation.

     There  was  some  discussion about the status of 2.0's thread-based
     worker  MPM  on FreeBSD; it was known that with the improvements to
     the  thread  libraries in FreeBSD 5.2 and later, the worker MPM can
     operate  correctly.  Further testing of worker still showed serious
     issues  when  running  on  the FreeBSD 4.x -STABLE branch; users on
     such  platforms  are  recommended  to stay with the default prefork

                              Apache Conferences

O'Reilly Open Source Convention 2004

     It's  cold, wet, and windy in the UK right now; so what better than
     to  look  forward  to  a  summer  in  Portland, Oregon, host of the
     O'Reilly Open Source Convention. This year the conference runs from
     July 26-30 with many tracks of interest to Apache users. Conference
     registration  isn't  open  yet, but mark the date in your diary and
     visit the [14]the conference web site for more details.

                               Featured articles

     In  this  section we highlight some of the articles on the web that
     are of interest to Apache users.

     Rich  Bowen is back, and he's enabling and disabling Apache Modules
     in another [15]"A Day in the Life of #Apache". The article examines
     why  modules  are  enabled by default and how to tell which you can
     safely disable.

     The  Devx.com article [16]"Armoring Apache HTTP Server with SSL" is
     designed  to  lead  you step-by-step to enabling encryption on your
     Apache server.

     Blane  Warrene  discusses how to [17]"Configure Web Logs in Apache"
     including  ways  to  use  the CustomLog directive and how to do log

     This issue brought to you by: Mark J Cox, Joe Orton
     Comments or criticisms? Please email us at
     [18]editors <at> apacheweek.com.

     [19]Apache Week is Copyright 2004 [20]Red Hat, Inc.


   1. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27106
   2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0113
   3. http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=
   4. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23850
   5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993
   6. http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_access.c?r1=1.46&r2=1.47
   7. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152
   8. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0173
   9. http://www.uniras.gov.uk/l1/l2/l3/brief2004/brief-11404.txt
  10. http://www.apache.org/licenses/LICENSE-2.0.html
  11. http://www.apache.org/licenses/LICENSE-1.1
  12. http://www.apache.org/licenses/GPL-compatibility.html
  13. http://httpd.apache.org/contributors/#striker
  14. http://conferences.oreilly.com/os2004/
  15. http://www.onlamp.com/pub/a/apache/2004/02/26/apacheckbk.html
  16. http://www.devx.com/opensource/Article/20085
  17. http://www.sitepoint.com/article/configuring-web-logs-apache
  18. mailto:editors <at> apacheweek.com
  19. http://www.apacheweek.com/
  20. http://www.redhat.com/

To unsubscribe visit https://www.redhat.com/mailman/listinfo/apacheweek
or send the message   "unsubscribe"  to   apacheweek-request <at> redhat.com