Thread View: gmane.comp.apache.apacheweek
1 messages
1 total messages
Started by Apache Week
Fri, 23 Jan 2004 18:43
Apache Week issue 341
Author: Apache Week
Date: Fri, 23 Jan 2004 18:43
Date: Fri, 23 Jan 2004 18:43
136 lines
6489 bytes
6489 bytes
APACHE WEEK
The essential weekly guide for users of the world's most popular Web server.
Issue 341: 23rd January 2004
In this issue
* Under development
* Security Reports
* In the news
* Featured articles
Under development
A change was proposed recently to allow the ServerTokens directive
to change the product name returned in the Server header, for
example using ServerTokens Set IIS/5.0. Some server administrators
request such a feature in the belief that it will improve security,
under the assumption that attackers will not try Apache exploits if
the server is running IIS. In reality, a determined attacker will
easily be able to determine what software the server is running
without relying on the Server header, so this feature has no real
security benefit. As usual, there was strong opposition to the
change: determined server administrators can still change the
Server string at compile-time without needing a configuration
option.
Security Reports
In the last month, two reports have been sent to the bugtraq
mailing list by Steve Grubb concerning methods of hijacking Apache
servers using PHP or mod_perl. The reports are made under the
assumption that these two modules can be safely used to execute
scripts written by untrusted authors, and include examples of how
such scripts can take over the processing of incoming HTTP or SSL
requests.
PHP (when used as an Apache module) and mod_perl are similar in
that they both process, interpret, and execute scripts from within
an Apache httpd child process. This means that the privileges
available to an httpd child process are also available to the
script interpreters: this includes, naturally, the ability to
accept new requests from clients. Since all child processes run
with the same user ID, it is also possible to use signals to
terminate or stop one child process from within another.
Unlike languages like Java, the interpreters for languages such as
PHP and Perl were not designed to provide a carefully restricted
"sandbox" in which code is executed. Perl code is essentially
unlimited in the facilities available, as most C library functions
and resources are readily usable. PHP code is somewhat restricted
in capability, although issues in the interpreter and myriad
extension modules have been repeatedly shown to allow scripts to
escape the "sandbox" in recent times.
The conclusion is that the scripts used with any current in-process
scripting modules with Apache must be trusted with the privileges
of the httpd child process in which they execute. For execution of
less-trusted scripts, different solutions must be used such as CGI
under suexec - sacrificing performance for security.
In the news
Who patches Open Source?
James Maguire asks [1]"Who patches Open Source?". With closed
source vendors it's easy to know who to turn to if you have a
problem with the software you have purchased, but in turn you are
also locked into getting your fixes from that same vendor. This
article takes a look at the difference with Open Source software
and in particular the Apache web server which is shipped by a large
number of vendors. Due to the transparency of open source, a Linux
user can turn to their distribution vendor to fix an issue, or to
the Apache Software Foundation, or to one of a number of third
parties that provide paid-for support.
Apache and his dog
If you've ever wondered which Apache developer took his dog for a
walk last night, or quite where in the world it is snowing today,
then you'll be riveted to the brand new Apache blog aggregator,
[2]Planet Apache. Joking aside, the site aims to give an insight
into the lives of the Apache members, and more importantly gives
Apache developers the chance to learn about their peers. With
hundreds of Apache committers, many who have never met, this site
will play an important part in helping to build the Apache
community.
Internet Generation Companies
Emiliano Abramzon and colleagues look to see if Apache is a good
example of an Internet Generation Company in their academic paper:
[3]" Apache.org: The Ultimate Internet Generation Organization"
(PDF, 1Mb). They conclude that Apache has a significant competitive
advantage to software competition from the entire openness and
transparency.
Featured articles
In this section we highlight some of the articles on the web that
are of interest to Apache users.
Nick Kew takes Apache Week readers through an extensive look at
reverse proxying in his article [4]"Running a Reverse Proxy with
Apache". He includes details of his mod_proxy_html module which can
solve the common problems associated with running reverse proxies
by methods such as rewriting links.
Apache essentials are covered in [5]"Apache Basics" at
unixreview.com.
______________________________________________________________
This issue brought to you by: Mark J Cox, Joe Orton
Comments or criticisms? Please email us at
[6]editors@apacheweek.com.
[7]Apache Week is Copyright 2004 [8]Red Hat, Inc.
References
1. http://www.newsfactor.com/story.xhtml?story_id"959
2. http://www.planetapache.org/
3. http://www.unc.edu/~mohrmana/apache.pdf
4. http://www.apacheweek.com/features/reverseproxies
5. http://www.unixreview.com/documents/sĀ89/ur0401g/
6. mailto:editors@apacheweek.com
7. http://www.apacheweek.com/
8. http://www.redhat.com/
----------------------------------------------------------------------
To unsubscribe visit https://www.redhat.com/mailman/listinfo/apacheweek
or send the message "unsubscribe" to apacheweek-request@redhat.com
----------------------------------------------------------------------
Thread Navigation
This is a paginated view of messages in the thread with full content displayed inline.
Messages are displayed in chronological order, with the original post highlighted in green.
Use pagination controls to navigate through all messages in large threads.
Back to All Threads