Bug report for Apache httpd-2 [2006/08/20]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=CriticalMAJ=Major | | | | MIN=Minor NOR=Normal ENH=Enhancement | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | | 7483|Ass|Enh|2002-03-26|Add FileAction directive to assign a cgi interpret| | 7741|Ass|Nor|2002-04-04|some directives may be placed outside of proper co| | 7862|New|Enh|2002-04-09|suexec never log a group name.| | 8713|New|Min|2002-05-01|No Errorlog on PROPFIND/Depth:Infinity| | 9727|New|Min|2002-06-09|Double quotes should be flagged as T_HTTP_TOKEN_ST| | 9903|Opn|Maj|2002-06-16|mod_disk_cache does not remove temporary files| | 9945|New|Enh|2002-06-18|[PATCH] new funtionality for apache bench | |10114|Ass|Enh|2002-06-21|Negotiation gives no weight to order, only q value| |10154|Ass|Nor|2002-06-23|ApacheMonitor interferes with service uninstall/re| |10722|Opn|Nor|2002-07-12|ProxyPassReverse doesn't change cookie paths | |10775|Ass|Cri|2002-07-13|SCRIPT_NAME wrong value | |10932|Opn|Enh|2002-07-18|Allow Negative regex in LocationMatch | |11035|New|Min|2002-07-22|Apache adds double entries to headers generated by| |11294|New|Enh|2002-07-30|desired vhost_alias option| |11427|Opn|Maj|2002-08-02|Possible Memory Leak in CGI script invocation | |11540|Opn|Nor|2002-08-07|ProxyTimeout ignored | |11580|Opn|Enh|2002-08-09|generate Content-Location headers | |11971|Opn|Nor|2002-08-23|HTTP proxy header "Via" with wrong hostname if Ser| |11997|Opn|Maj|2002-08-23|Strange critical errors possibly related to mpm_wi| |12033|Opn|Nor|2002-08-26|Graceful restart immidiately result in [warn] long| |12340|Opn|Nor|2002-09-05|WindowsXP proxy, child process exited with status | |12680|New|Enh|2002-09-16|Digest authentication with integrity protection | |12885|New|Enh|2002-09-20|windows 2000 build information: mod_ssl, bison, et| |13029|New|Nor|2002-09-26|Win32 mod_cgi failure with non-ASCII characters in| |13599|Ass|Nor|2002-10-14|autoindex formating broken for multibyte sequences| |13603|New|Nor|2002-10-14|incorrect DOCUMENT_URI in mod_autoindex with Heade| |13661|Ass|Enh|2002-10-15|Apache cannot not handle dynamic IP reallocation | |13986|Ass|Enh|2002-10-26|remove default MIME-type | |14090|New|Maj|2002-10-30|mod_cgid always writes to main server error log | |14104|Opn|Enh|2002-10-30|not documented: must restart server to load new CR| |14206|New|Maj|2002-11-04|DirectoryIndex circumvents -FollowSymLinks option | |14227|Ass|Nor|2002-11-04|Error handling script is not started (error 500) o| |14496|New|Enh|2002-11-13|Cannot upgrade 2.0.39 -> 2.0.43. Must uninstall fi| |14556|Inf|Nor|2002-11-14|mod_cache with mod_mem_cache enabled doesnt cash m| |14858|New|Enh|2002-11-26|mod_cache never caches responses for requests requ| |14922|Ass|Enh|2002-11-28| is currently hardcoded to 'apache2' | |15045|Ass|Nor|2002-12-04|addoutputfilterbytype doesn't work for defaulted t| |15233|Opn|Nor|2002-12-10|move AddType application/x-x509-ca-cert from ssl.c| |15235|New|Nor|2002-12-10|add application/x-x509-email-cert, application/x-x| |15625|New|Nor|2002-12-23|mention mod_ssl in http://nagoya.apache.org/dist/h| |15626|New|Nor|2002-12-23|mention which modules are part of the (binary) dis| |15631|New|Nor|2002-12-23|mention in httpd.conf that mod_ssl is not included| |15719|Inf|Nor|2002-12-30|WebDAV MOVE to destination URI which is content-ne| |15757|Opn|Nor|2003-01-02|Assumption of sizeof (void*)/int begin equal (64-b| |15857|Opn|Nor|2003-01-07|MUST handle "chunked" response with a 16385Byte-lo| |15859|Opn|Nor|2003-01-07|wrong Content-Length header is forwarded when de-c| |15861|New|Nor|2003-01-07|proxy MUST NOT forward hop-by-hop headers | |15864|New|Nor|2003-01-07|Connection field value parser and quoted tokens | |15865|New|Nor|2003-01-07|proxy forwards response headers matching Connectio| |15866|New|Nor|2003-01-07|cache MUST treat incomplete cached response as par| |15868|New|Nor|2003-01-07|some HTTP methods MUST cause a cache to invalidate| |15870|Opn|Maj|
Bug report for Apache httpd-1.3 [2006/08/20]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=CriticalMAJ=Major | | | | MIN=Minor NOR=Normal ENH=Enhancement | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | | 8329|New|Nor|2002-04-20|mime_magic gives 500 and no error_log on Microsoft| | 8372|Ass|Nor|2002-04-22|Threadsaftey issue in Rewrite's cache [Win32/OS2/N| | 8849|New|Nor|2002-05-07|make install errors as root on NFS shares | | 8882|New|Enh|2002-05-07|[PATCH] mod_rewrite communicates with external rew| | 9037|New|Min|2002-05-13|Slow performance when acessing an unresolved IP ad| | 9126|New|Blk|2002-05-15|68k-next-openstep v. 4.0 | | 9726|New|Min|2002-06-09|Double quotes should be flagged as T_HTTP_TOKEN_ST| | 9894|New|Maj|2002-06-16|getline sub in support progs collides with existin| | |New|Nor|2002-06-19|Incorrect default manualdir value with layout.| |10038|New|Min|2002-06-20|ab benchmaker hangs on 10K https URLs with keepali| |10073|New|Maj|2002-06-20|upgrade from 1.3.24 to 1.3.26 breaks include direc| |10166|Opn|Min|2002-06-24|HTTP/1.1 proxy requests made even when client make| |10169|New|Nor|2002-06-24|Apache seg faults due to attempt to access out of | |10178|New|Maj|2002-06-24|Proxy server cuts off begining of buffer when spec| |10195|New|Nor|2002-06-24|Configure script erroneously detects system Expat | |10199|New|Nor|2002-06-24|Configure can't handle directory names with unders| |10243|New|Maj|2002-06-26|CGI scripts not getting POST data | |10354|New|Nor|2002-06-30|ErrorDocument(.htaccess) fails when passed URL wit| |10446|Opn|Blk|2002-07-03|spaces in link to http server seen as foreign char| |10666|New|Enh|2002-07-10|line-end comment error message missing file name | |10744|New|Nor|2002-07-12|suexec might fail to open log file| |10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i| |10760|New|Maj|2002-07-12|empty ftp directory listings from cached ftp direc| |10939|New|Maj|2002-07-18|directory listing errors | |11020|New|Maj|2002-07-21|APXS only recognise tests made by ./configure | |11236|New|Min|2002-07-27|Possible Log exhaustion bug? | |11265|New|Blk|2002-07-29|mod_rewrite fails to encode special characters| |11765|New|Nor|2002-08-16|.apaci.install.tmp installs in existing httpd.conf| |11986|New|Nor|2002-08-23|Restart hangs when piping logs on rotation log pro| |12096|New|Nor|2002-08-27|apxs does not handle binary dists installed at non| |12574|New|Nor|2002-09-12|Broken images comes from mod_proxy when caching ww| |12583|New|Nor|2002-09-12|First piped log process do not handle SIGTERM | |12598|Opn|Maj|2002-09-12|Apache hanging in Keepalive State | |12770|Opn|Nor|2002-09-18|ErrorDocument fail redirecting error 400 | |13188|New|Nor|2002-10-02|does not configure correctly for hppa64-hp-hpux11.| |13274|Ass|Nor|2002-10-04|Subsequent requests are destroyed by the request e| |13607|Opn|Enh|2002-10-14|Catch-all enhancement for vhost_alias?| |13687|New|Min|2002-10-16|Leave Debug symbol on Darwin | |13822|New|Maj|2002-10-21|Problem while running Perl modules accessing CGI::| |14095|Opn|Nor|2002-10-30|Change default Content-Type (DefaultType) in defau| |14250|New|Maj|2002-11-05|Alternate UserDirs don't work intermittantly | |14443|New|Maj|2002-11-11|Keep-Alive randomly causes TCP RSTs | |14448|Opn|Cri|2002-11-11|Apache WebServer not starting if installed on Comp| |14518|Opn|Nor|2002-11-13|QUERY_STRING parts not incorporated by mod_rewrite| |14670|New|Cri|2002-11-19|Apache didn't deallocate unused memory| |14748|New|Nor|2002-11-21|Configure Can't find DBM on Mac OS X | |15011|New|Nor|2002-12-03|Apache processes not timing out on Solaris 8 | |15028|New|Maj|2002-12-03|RedirectMatch does not escape properly| |16013|Opn|Nor|2003-01-13|Fooling mod_autoindex + IndexIgnore | |16236|New|Maj|2003-01-18|Include directive in Apache is not parsed within c| |16241|New|Maj|2003-01-19|Apache processes takes 100% CPU until killed manua| |16492|
Re: [PATCH 40026] ServerTokens Off
According to William: > My 2c, let's adopt the patch for three reasons... > > 1. it's an FAQ that would -go away-, less stress for our peer apache > user supporters Is it really an FAQ? Hmm ... the last time it was discussed on the dev list was more than 2.5 years ago. Apart from that, I don't think that it would go away entirely, because I assume (based on the questions I've seen) that many people actually ask about how to change the Server header (and not just about disabling it). ciao... -- Lars Eilebrecht- Reality corrupts. [EMAIL PROTECTED] - Absolute reality corrupts absolutely.
Re: [PATCH 40026] ServerTokens Off
Lars Eilebrecht wrote: > > Apart from that, it's also possible to customize the Server header by > using mod_security which has a configuration directive for this. My 2c, let's adopt the patch for three reasons... 1. it's an FAQ that would -go away-, less stress for our peer apache user supporters 2. it's not required. Advertising it's not even required, the number of installed Apache servers can be derived from the % of servers which do advertise Apache v.s. others that allow users to hide this header, and using that % for the server token blind installations. Clients can default to the lowest common denominator if they aren't able to determine what the server is doing.(*) 3. it will dissuade folks from adopting thirdparty modules for foolish reasons, sparing those projects to deal only with users who actually plan to take advantage of their real features ;-) (*) and fools who -use- the 'feature' can pay the penalty for clients which choose not to trust that the anonymous server is capable of -correctly- serving byterange, compression or other features which conserve server load - but aren't consistently implemented properly by all HTTP/1.1 servers ;-)
Re: [PATCH 40026] ServerTokens Off
On 8/20/06, Lars Eilebrecht <[EMAIL PROTECTED]> wrote: For offering such an option with Apache I've only seen two arguments: 1. Making the server more secure by not revealing any (or fake) server information. 2. Saving bandwidth. 3. Make all the crazy people go away. There may be no valid reason for it, but we're sick of hearing about it so just give it to them so we can get back to real work. As I've said, I don't have a strong opinion in either direction. Joshua.
Re: [PATCH 40026] ServerTokens Off
According to Sebastian Nohn: > I personally think, "ego" is a bad reason for constricting people. This has nothing to do with "ego". In my opinion it is more than appropriate to put a "label" in the form of the Server header onto the Apache HTTP Server. For example, if I buy a car I can usually order it without the exact type information/logos added to the car, but I just cannot order it without any logo of the manufacturer itself. For offering such an option with Apache I've only seen two arguments: 1. Making the server more secure by not revealing any (or fake) server information. 2. Saving bandwidth. Well, when we've had similar discussions in the past they were usually about argument No. 1, but the consensus was always that a security-by-obscurity feature in Apache does not make sense. Saving bandwidth is a valid point, but as I already pointed out in my previous email, it is only relevant to a very very tiny fraction of Apache users. Those users who run a high-traffic web site usually use self-compiled, or customized versions of Apache anyway, and for them it's easy to modify the code themselves to get rid of the Server header. Apart from that, it's also possible to customize the Server header by using mod_security which has a configuration directive for this. ciao... -- Lars Eilebrecht [EMAIL PROTECTED]
Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Joshua Slive wrote: > On 8/20/06, Carsten Wiedmann <[EMAIL PROTECTED]> wrote: > >> Ok. Then we can say: For some other reasons, it's not safe to make a >> ScriptAlias inside DirectoryRoot on *nix (it only looks as if it's safe). > > Yes, this is true. *Alias* do not do the canonicalization necessary > to assure they can't be bypassed. That applies to any filesystem. > The docs do make it clear in other places that the only safe way to > protect content in the filesystem is using . Ding ding ding. Now with some luck light bulbs will come on. Alias / ScriptAlias have (1) function which is to point the URI space into another filesystem space. If the content is under DocumentRoot there is no reason for alias.
Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
On 8/20/06, Guy Hulbert <[EMAIL PROTECTED]> wrote: On Sun, 2006-20-08 at 08:36 -0400, Joshua Slive wrote: > > But why is there the Directive "ScriptAlias"? > > --> This Directive should then better be removed. > > It could easily be removed. It is a convenience directive for the Not if you don't want to annoy your users ... I meant in the sense that if you were designing the config system today, you could easily omit ScriptAlias. I'm not suggesting it be removed. Joshua.
Re: [PATCH 40026] ServerTokens Off
Sebastian Nohn wrote: I fear that many users of Apache would actually turn off the Server header for no or for the wrong reasons (which may "harm" our market share), and therefore I'm -1 on including this patch. It would not change apaches market share. If you are talking about netcraft (and similar stats): I personally think, "ego" is a bad reason for constricting people. We have had a config option in PHP for years to completely hide the fact that a site is using PHP. I don't think it has hurt us in any way. Sure, our Netcraft numbers would probably be higher without it and occasionally we see a dip due to some large site turning it off, but isn't this all about writing useful software and not about marketing gimmicks? -Rasmus
Re: [PATCH 40026] ServerTokens Off
Lars Eilebrecht wrote: > Well, this topic pops up every now and then ... mainly because people > want to change/remove the Server header for "security", i.e., > "security by obscurity" reasons. On your web site you point out that > this does not make much sense and I absolutely agree with that. > > So this would be no reason to include the patch ... Are people asking for that over and over again not an argument FOR the patch? > Removing the Server header to save 17 bytes ... well, only very > very few users of Apache would actually really require that in > order so save bandwidth. I know only on who actually does that, > and that's Yahoo. But for such specialized cases you would be > running a manually compiled or even modified Apache anyway > (like Yahoo). > > So I don't see this as a reason to include the patch. According to Netcraft 3% of all webservers don't sent the header, making the no-server-header #3 in Netcraft's list: http://survey.netcraft.com/Reports/0608/ > I fear that many users of Apache would actually turn off the > Server header for no or for the wrong reasons (which may "harm" our > market share), and therefore I'm -1 on including this patch. It would not change apaches market share. If you are talking about netcraft (and similar stats): I personally think, "ego" is a bad reason for constricting people. Sebastian
Re: [PATCH 40026] ServerTokens Off
According to Sebastian: > > I'd like to propose these patches for inclusion: > > > > http://www.nohn.org/blog/uploads/servertokens_off.patch > > http://www.nohn.org/blog/uploads/servertokens_off_documentation.patch > > Patches are now attached by request. > > I'm looking forward for your comments. Well, this topic pops up every now and then ... mainly because people want to change/remove the Server header for "security", i.e., "security by obscurity" reasons. On your web site you point out that this does not make much sense and I absolutely agree with that. So this would be no reason to include the patch ... Removing the Server header to save 17 bytes ... well, only very very few users of Apache would actually really require that in order so save bandwidth. I know only on who actually does that, and that's Yahoo. But for such specialized cases you would be running a manually compiled or even modified Apache anyway (like Yahoo). So I don't see this as a reason to include the patch. I fear that many users of Apache would actually turn off the Server header for no or for the wrong reasons (which may "harm" our market share), and therefore I'm -1 on including this patch. ciao... -- Lars Eilebrecht [EMAIL PROTECTED]
Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
On Sun, 2006-20-08 at 08:36 -0400, Joshua Slive wrote: > > But why is there the Directive "ScriptAlias"? > > --> This Directive should then better be removed. > > It could easily be removed. It is a convenience directive for the Not if you don't want to annoy your users ... -- --gh
Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
On 8/20/06, Carsten Wiedmann <[EMAIL PROTECTED]> wrote: You have some examples? http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0017 A HTTP server must process the abs_path from an URI in a case-sensitive manner. Thus with a case-sensitive filesystem it's enough to build a canonical / normalized path and ask the system: You have this file?. With a case-insensitive/preserving filesystem you must also compare the realpath of a file with the canonical / normalized path from the request. That's really basic understanding. And it's not new that some systems, like Windows, have a case-insensitive filesystem or other differences to a "normal" *nix filesystem. A software must respect this. And httpd absolutely does do this. *Alias* does not do it, because it is not their job. They are *not* designed to protect content, they simply map a *url* to the filesystem. But why is there the Directive "ScriptAlias"? --> This Directive should then better be removed. It could easily be removed. It is a convenience directive for the special case where you *both* want to map a URL, and mark the matching requests as being for cgi scripts. As I have pointed out, it should only be used when you want to do both of those things. It is really silly to be arguing over the security implications of using a directive in a way that is obviously counter to its intentions. Should I be able to use Redirect as a substitute for Deny? Should I be able to use as a substitute for ? Not every directive is safe to use for every possible purpose. --> Why is it allowed (or without a warning) to make an Alias, where the target is already accessible via another Alias? The problem is not using an alias for an already accessible area. The problem is using an alias to protect content (in this case, the source code of cgi scripts). Ok. Then we can say: For some other reasons, it's not safe to make a ScriptAlias inside DirectoryRoot on *nix (it only looks as if it's safe). Yes, this is true. *Alias* do not do the canonicalization necessary to assure they can't be bypassed. That applies to any filesystem. The docs do make it clear in other places that the only safe way to protect content in the filesystem is using . Joshua.
Re: CGI Script Source Code Disclosure Vulnerability in Apache for Windows
Joshua Slive schrieb: On 8/19/06, Carsten Wiedmann <[EMAIL PROTECTED]> wrote: [I don't agree with large chunks of what you wrote, but the crux of the matter is here:] That's ok :-) BTW: Nobody else has an opinion to this discussion? Perhaps all are in the weekend vacation. ;-) > And why are sometimes (part of) the URI is case-sensitive and > somtimes not and what happens in consequence because of this > behavior. And this behavior is the only reason why it can be (on some > systems) a problem to have the ScriptAlias inside the DirectoryRoot. That last sentence is simply not true. Search the the bugtraq archives for all the other vulnerabilities in windows web servers caused by subtleties of the filesystem. You have some examples? But see the current case. In easy words: A HTTP server must process the abs_path from an URI in a case-sensitive manner. Thus with a case-sensitive filesystem it's enough to build a canonical / normalized path and ask the system: You have this file?. With a case-insensitive/preserving filesystem you must also compare the realpath of a file with the canonical / normalized path from the request. That's really basic understanding. And it's not new that some systems, like Windows, have a case-insensitive filesystem or other differences to a "normal" *nix filesystem. A software must respect this. It is not the job of *Alias* to deal with that; the *Alias* directives map a URL to the filesystem. If you want to protect things in the filesystem, you have . That's ok. If I want to protect something or change the behavior how the content of a directory is processed, I should do this inside a container like . But why is there the Directive "ScriptAlias"? --> This Directive should then better be removed. Next question... From the manual: | The Alias directive allows documents to be stored in the | local filesystem other than under the DocumentRoot. Or the "httpd.conf": | # Alias: Maps web paths into filesystem paths and is used to | # access content that does not live under the DocumentRoot. Now we assume that the DocumentRoot is only a special alias. Thus we can also say: | # Alias: Maps web paths into filesystem paths and is used to | # access content that does not live under another existing Alias. --> Why is it allowed (or without a warning) to make an Alias, where the target is already accessible via another Alias? Yes, it would be nice if httpd could force the use of a canonical case on case-insensitive filesystems. It can be partially done with mod_rewrite. But that would not make it safe to use ScriptAlias in the way you want. Ok. Then we can say: For some other reasons, it's not safe to make a ScriptAlias inside DirectoryRoot on *nix (it only looks as if it's safe). Regards, Carsten