🚀 go-pugleaf

                                APACHE WEEK

The essential weekly guide for users of the world's most popular Web server.
                       Issue 321: 21st February 2003

                                 In this issue

     * Under development
     * Security Reports
     * Featured articles

                               Under development

     The   development   of  a  new  MySQL-based  authentication  module
     mod_authn_mysql  received  some  attention  on the development list
     this  week. This module is of particular interest as it is designed
     to  use  the new authentication framework in the unstable httpd-2.1
     tree  -  a  combination  which  for the first time allows Apache to
     authenticate  a user against a MySQL database when using the Digest
     authentication  protocol.  Previously  under  Apache  1.3  and 2.0,
     extension  modules such as mod_auth_mysql were limited to using the
     less secure Basic authentication protocol.

     New  releases  from the 2.0 and 1.3 trees are in the pipeline; with
     version  numbers 2.0.45 and 1.3.28, the releases currently look set
     to include mainly minor bug fixes.

                               Security Reports

OpenSSL timing attack

     In  a  [1]memo  describing  an  upcoming paper, Brice Canvel, Alain
     Hiltgen,   Serge   Vaudenay,   and  Martin  Vuagnoux  describe  and
     demonstrate  a  timing-based  attack on CBC ciphersuites in SSL and
     TLS.  An  active attacker may be able to use timing observations to
     distinguish  between  two  different  error  cases:  cipher padding
     errors  and MAC verification errors. Over multiple connections this
     can leak sufficient information to make it possible to retrieve the
     plaintext of a common, fixed block.

     In  order  for an attack to be successful, an attacker must be able
     to  act  as  a  man-in-the-middle  to intercept and modify multiple
     connections  which all involve a common fixed plaintext block (such
     as  a  password), and have good network conditions that allow small
     changes  in timing to be reliably observed. The attack demonstrated
     in  the  paper  was  performed against a secure e-mail client which
     polled regularly for new mail. To perform an equivalent attack on a
     web  browser  sending  a  request  over SSL, the user would have to
     manually  re-submit  the request several hundred times whilst being
     presented with an error dialog each time.

     Given  these  facts,  it  looks  likely that an attacker would have
     significant  difficulty  in exploiting this flaw to decrypt any SSL
     web  traffic. But as with all vulnerabilities you need to make your
     own risk assessment based on your individual circumstances.

     A  [2]patch  to  correct  this  issue  was  released by the OpenSSL
     project earlier this week. The Common Vulnerabilities and Exposures
     project has assigned the name [3]CAN-2003-0078 to this issue.

Oracle mod_dav vulnerability

     This  week  a  security vulnerability in the version of the mod_dav
     module  distributed  by  Oracle  was announced. Oracle had modified
     mod_dav  to  add  logging  of  a particular "502 Bad Gateway" error
     which  can  occur  when using this module; unfortunately the change
     they  made  also introduced a format string vulnerability, allowing
     remote   attackers   to   execute   arbitrary   code.   The  Common
     Vulnerabilities   and  Exposures  project  has  assigned  the  name
     [4]CAN-2002-0842 to this issue.

     This  issue  does  not  affect  any  versions of the mod_dav module
     distributed  from  [5]webdav.org, or the version included in Apache
     2.0.

     The  vulnerability  caused a little confusion since SCO [6]released
     an  advisory  this  week  claiming that OpenLinux was vulnerable to
     this  issue  and  quoting the vulnerability as a problem in "Apache
     mod_dav  module".  SCO  later  [7]withdrew their advisory once they
     were  informed  that OpenLinux had in fact never been vulnerable to
     the  format  string vulnerability at all. Increasing the confusion,
     the  errata  packages  they  provided  as  part  of  their security
     advisory actually added in the modifications Oracle had made to log
     this  "502"  error  and  so  the  SCO  errata packages were in fact
     vulnerable to this issue.

Vendor modifications to Apache

     The  vulnerability  found in the Oracle modifications to mod_dav is
     not the first security hole that has been introduced by third party
     modifications  to Apache by vendors. However our own research based
     on  issues  listed in the CVE dictionary shows that the majority of
     these vulnerabilities are due to poor configuration defaults rather
     than patches for new functionality that went wrong:

          CVE                Type of Issue            Severity    Affected

     CAN-2002-0842 Remote attacker can run arbitrary  High     Oracle
                   commands
     CAN-2002-0842 Remote attacker can run arbitrary  High     SCO (briefly)
                   commands
     CAN-2000-1168 Remote attacker can run arbitrary  High     IBM
                   commands
     CVE-2000-1016 Remote attacker can see files in   Low      SuSE Linux
                   /usr/doc
     CVE-2000-0883 Remote attacker can see files in   Medium   Mandrake Linux
                   /perl
     CVE-2000-0869 Remote attacker can read and write High     SuSE Linux
                   any file in docroot
     CVE-2000-0868 Remote attacker can obtain the     Medium   SuSE Linux
                   source to CGI scripts
     CVE-2000-0234 Remote attacker can read .htaccess Medium   Cobalt
                   files
     CVE-1999-0678 Remote attacker can see files in   Low      Debian Linux
                   /usr/doc

     Third  party  modifications to Apache also have been known to cause
     other  types  of  bugs.  This  is  often frustrating for the Apache
     Software  Foundation  who  end up receiving all the bug reports for
     issues  that don't even exist in the official Apache releases. This
     is  one  of  the reasons why the Apache Software Foundation insists
     that when vendors make modifications to Apache that they change the
     name  of  their  version so it is not confused with official Apache
     releases.

                               Featured articles

     In  this  section we highlight some of the articles on the web that
     are of interest to Apache users.

     O'Reilly ONLamp.com shows you [17]how to customise "Page Not Found"
     messages using PHP and Apache, and what actions your error-handling
     page  can  take  - such as serving your users another page based on
     the  URL that was not found, creating a new page dynamically from a
     database, or even emailing the webmaster about the missing URL. PHP
     source code listings are provided for all the examples.

     [18]"Compress Web Output Using mod_gzip and Apache" starts with the
     basics  of HTTP compression and then explains how mod_gzip works to
     achieve  this  for  the  Apache  web  server.  A  very  brief guide
     describing how to integrate this module with Apache is provided.

     An  [19]excerpt  from  "Chapter  5: Authentication" of "Apache: The
     Definitive  Guide, 3rd Edition" is now available online courtesy of
     WebReference.com  and O'Reilly. It covers authentication directives
     and passwords.

     Apache XML projects enthusiasts may like to read [20]these articles
     about  some  of the Apache XML projects on Builder.com. Can you mix
     Jelly,  Ant,  and Cocoon together without getting indigestion? Read
     and find out.
       ______________________________________________________________

     This issue brought to you by: Mark J Cox, Joe Orton, Min Min Tsan
     Comments or criticisms? Please email us at
     [21]editors@apacheweek.com.

     [22]Apache Week is Copyright 2003 [23]Red Hat, Inc.

References

   1. http://lasecwww.epfl.ch/memo_ssl.shtml
   2. http://www.openssl.org/news/secadv_20030219.txt
   3. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2003-0078
   4. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2002-0842
   5. http://www.webdav.org/mod_dav/
   6. http://marc.theaimsgroup.com/?l=bugtraq&m4551993324812&q=raw
   7. http://marc.theaimsgroup.com/?l=bugtraq&m4559446010858&q=raw
   8. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2002-0842
   9. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2002-0842
  10. http://cve.mitre.org/cgi-bin/cvename.cgi?nameÊN-2000-1168
  11. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1016
  12. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0883
  13. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0869
  14. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0868
  15. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0234
  16. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0678
  17. http://www.onlamp.com/pub/a/onlamp/2003/02/13/davidsklar.html
  18. http://webmasterbase.com/article/1029
  19. http://www.webreference.com/internet/apache/chap5/
  20. http://builder.com.com/article.jhtml?id=u00320030219jmo01.htm
  21. mailto:editors@apacheweek.com
  22. http://www.apacheweek.com/
  23. http://www.redhat.com/

----------------------------------------------------------------------
To unsubscribe: https://listman.redhat.com/mailman/listinfo/apacheweek
or send the message   "unsubscribe"  to  apacheweek-request@redhat.com
----------------------------------------------------------------------