Thread View: gmane.comp.apache.apacheweek
1 messages
1 total messages
Started by Apache Week
Fri, 24 Jan 2003 17:45
Apache Week issue 319
Author: Apache Week
Date: Fri, 24 Jan 2003 17:45
Date: Fri, 24 Jan 2003 17:45
238 lines
11945 bytes
11945 bytes
APACHE WEEK
The essential weekly guide for users of the world's most popular Web server.
Issue 319: 24th January 2003
In this issue
* Security Reports
* In the news
* Apache 2.0.44 Released
* Featured articles
Security Reports
This week a pair of security issues have been announced that affect
Windows versions of the 2.0 Apache httpd server.
* Apache 2.0 before 2.0.44 on Windows platforms allows remote
attackers to obtain different files to the ones they requested via
an HTTP request that contains certain illegal characters such as
<.
As an example, a file in the document root called "aa" would be
returned by a request to Apache of http://www.example.com/fred/<a.
This issue was reported to the Apache Security Team by Lionel
Brits on 25th November 2002. The Common Vulnerabilities and
Exposures project has assigned the name [1]CAN-2003-0017 to this
issue.
* Apache 2.0 before 2.0.44 on Windows platforms can be made to crash
or in some cases execute arbitrary code by malicious requests that
contain MS-DOS device names.
Part of this issue is not just limited to Apache, it is a known
security issue that various MS-DOS device names when accessed can
cause some Windows versions to crash. A [2]Microsoft security
bulletin contains a patch that should also be applied to
vulnerable systems.
This issue was reported to the Apache Security Team by Matthew
Murphy on 4th December 2002. The Common Vulnerabilities and
Exposures project has assigned the name [3]CAN-2003-0016 to this
issue.
These issues have both been fixed in Apache 2.0.44 which is now
available. Windows users will also need to apply a patch to get
Apache 2.0.44 to work correctly on their systems. The patch is
[4]available for download and more information about the problem is
available in [5]BZ#16288
In the news
Cross-Site Tracing issues
Earlier this week a paper was published, [6]"Cross-Site Tracing"
which gave details of how the TRACE HTTP request could be used in
Cross-Site Scripting attacks. Unfortunately this issue has not been
very well understood by the media and has received a unwarranted
amount of attention.
When an HTTP TRACE request is sent to a web server that supports
it, that server will respond echoing the data that is passed to it,
including any HTTP headers. The paper explains that some browsers
can be scripted to perform a TRACE request. A browser with this
functionality could be made to issue a TRACE request against an
arbitrary site and pass the results on elsewhere. Since browsers
will only send authentication details and cookies to the sites that
issue them this means a user having a browser with this
functionality could be tricked into sending their cookies or
authentication details for arbitrary sites to an attacker.
For example, if you visited a page that an attacker has carefully
crafted, the page could cause your browser to bounce a TRACE
request against some site for which you have authentication
cookies. The result of the TRACE will be a copy of what was sent to
the site, which will therefore include those cookies or
authentication data. The carefully crafted page can then pass that
information on to the attacker.
TRACE requests can be disabled by making a change to the Apache
server configuration. Unfortunately it is not possible to do this
using the Limit directive since the processing for the TRACE
request skips this authorisation checking. Instead the following
lines can be added which make use of the mod_rewrite module.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
Although the particular attack highlighted made use of the TRACE
functionality to grab authentication details, this isn't a
vulnerability in TRACE, or in the Apache web server. The same
browser functionality that permits the published attack can be used
for different attacks even if TRACE is disabled on the remote web
server. For example an attacker could create a carefully crafted
page that when visited submits a hidden request to some arbitrary
site through your browser, grabs the result and passes it to the
attacker.
Apache 2.0.44 Released
Apache 2.0.44 was released on 21^st January 2003 and is now the
latest version of the Apache 2.0 server. The previous release was
2.0.43, released on the 3^rd October 2002. [7]See what was new in
Apache 2.0.43.
[8]Apache 2.0.44 is available for download.
This is a security, bug fix and minor upgrade release. Due to
security issues, any sites using versions prior to Apache 2.0.44 on
Windows should upgrade to Apache 2.0.44. [9]Read more about the
other security issues that affect Apache 2.0.
Security issues
* Apache was vulnerable to a denial of service attack via a request
for MS-DOS device name on Windows 9x and Me. [10]CAN-2003-0016
* Apache allowed arbitrary code execution via crafted POST request
containing MS-DOS device name on Windows 9x and Me.
* Apache could be forced to serve unexpected files on Windows
platforms by appending illegal characters such as '<' to the
request URL. [11]CAN-2002-0017
Bugs fixed
The following bugs were found in Apache 2.0.43 and have been fixed
in Apache 2.0.44:
* Allow escaping % sign in CustomLog format strings
* mod_setenvif: fix BrowserMatchNoCase for non-regex patterns.
* Return appropriate MIME response headers for negotiated responses
from a body embedded in a type-map
* Prevent 416 "Range not satisfiable" response in place of a
redirect
* Prevent files being left open for the duration of a keepalive
connection, which could cause a "Too many open files" error
* mod_ssl: several fixes for memory handling and leaks
* mod_proxy: fix invalid Content-Length from pages fetched during
server-side include processing.
* LDAP modules: ensure correct load order in httpd.conf
([12]BZ#14256); fix compatibility with Netscape LDAP libraries;
fix Win32 build
* mod_deflate: fix a memory leak when compressing dynamic content;
always emit Vary headers
* mod_isapi: fix several compatibility problems ([13]BZ#14399,
[14]BZ#10408), and fix bug which caused invalid responses or log
entries ([15]BZ#10216)
* CGI modules: fix streaming output from "nph-" scripts, for example
CGI::IRC ([16]BZ#8482); fix construction of command line from
query strings ([17]BZ#13914), handle environment variables which
contain newlines in mod_cgid ([18]BZ#14550); terminate CGI scripts
when connection is dropped ([19]BZ#8388)
* Caching modules: many bug fixes (including [20]BZ#14556), and an
HTTP compliance fix ([21]BZ#14556)
New features
* Add an --enable-v4-mapped configure option to allow or disallow
connections from IPv4-mapped addresses to IPv6 addresses, on
applicable platforms ([22]BZ#14037, [23]PR#7492)
* Add IndexOptions IgnoreCase option to mod_autoindex ([24]BZ#14276)
* Add EnableSendfile directive to disable use of sendfile() when
necessary (for instance when serving an NFS share)
* Add ProxyBadHeader directive to dictate handling of invalid HTTP
responses headers
* Add SERVER_ADDR keyword to mod_setenvif, to represent the server
IP address for a particular request
* Performance improvements
* Add -S command-line option to httpd, equivalent to -t
-DDUMP_VHOSTS
Featured articles
In this section we highlight some of the articles on the web that
are of interest to Apache users.
[25]"Unifying Web Clusters with Spread" describes how Spread, a
toolkit that provides a messaging service, can be used to implement
distributed logging and to monitor applications running on many Web
servers easily. The Apache module, mod_log_spread is an example
where Spread is used to gather access logs for large web clusters
into a single access log file.
O'Reilly ONLamp.com shows you [26]how to configure and build your
very own PHP 4.3 on Mac OS X. It provides a step-by-step guide on
configuring PHP to enable additional extensions such as support for
reading and writing XML using the DOM, and communicating with LDAP
servers, and other parameters for a basic Apache and PHP
installation.
[27]"Security with PHP Superglobals" explains the concept of PHP
Superglobals in layman terms. It starts by discussing two methods
for submitting data through web forms known as GET and POST. Then
it looks at the problem of identifying the origins of the variables
and how Superglobals attempt to solve this.
______________________________________________________________
This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan
Comments or criticisms? Please email us at
[28]editors@apacheweek.com.
[29]Apache Week is Copyright 2003 [30]Red Hat, Inc.
References
1. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2003-0017
2. http://www.microsoft.com/technet/Security/Bulletin/ms00-017.asp
3. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2003-0016
4. http://httpd.apache.org/download.cgi
5. http://nagoya.apache.org/bugzilla/show_bug.cgi?id288
6. http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
7. http://www.apacheweek.com/features/apache2043
8. http://httpd.apache.org/download.cgi
9. http://www.apacheweek.com/features/security-20
10. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2003-0016
11. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2002-0017
12. http://nagoya.apache.org/bugzilla/show_bug.cgi?id256
13. http://nagoya.apache.org/bugzilla/show_bug.cgi?id399
14. http://nagoya.apache.org/bugzilla/show_bug.cgi?id408
15. http://nagoya.apache.org/bugzilla/show_bug.cgi?id216
16. http://nagoya.apache.org/bugzilla/show_bug.cgi?id82
17. http://nagoya.apache.org/bugzilla/show_bug.cgi?id914
18. http://nagoya.apache.org/bugzilla/show_bug.cgi?id550
19. http://nagoya.apache.org/bugzilla/show_bug.cgi?id88
20. http://nagoya.apache.org/bugzilla/show_bug.cgi?id556
21. http://nagoya.apache.org/bugzilla/show_bug.cgi?id556
22. http://nagoya.apache.org/bugzilla/show_bug.cgi?id037
23. http://bugs.apache.org/index/full/7492
24. http://nagoya.apache.org/bugzilla/show_bug.cgi?id276
25. http://www.samag.com/documents/sw89/sam0302a/0302a.htm
26. http://www.onlamp.com/pub/a/php/2003/01/17/phpcookbook.html
27. http://www.linuxjournal.com/article.php?side59
28. mailto:editors@apacheweek.com
29. http://www.apacheweek.com/
30. http://www.redhat.com/
----------------------------------------------------------------------
To unsubscribe: https://listman.redhat.com/mailman/listinfo/apacheweek
or send the message "unsubscribe" to apacheweek-request@redhat.com
----------------------------------------------------------------------
Thread Navigation
This is a paginated view of messages in the thread with full content displayed inline.
Messages are displayed in chronological order, with the original post highlighted in green.
Use pagination controls to navigate through all messages in large threads.
Back to All Threads