The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache security hole

Discussion in 'EasyApache' started by visor24, Nov 2, 2004.

  1. visor24

    visor24 Registered

    Joined:
    Nov 2, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I heard that this new apache 1.3.33 is not stable.
    Is this true ? I currently have 1.3.31, do I need to upgrade to this new version soon ?
     
  2. aegis

    aegis Well-Known Member

    Joined:
    Jul 6, 2003
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    I'm having real stability problems with it.

    It doesn't like the use of ForceType in .htaccess files.

    Some of my users are reporting php problems with index.php files also with the files coming back as plaintext rather than passing through php.

    I'd hold for a while.

    The easyapache script also currently tries to build ming0.3beta if selected but php is built expecting ming0.2
     
  3. aegis

    aegis Well-Known Member

    Joined:
    Jul 6, 2003
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    I've done some more investigation.

    The .htaccess problem appears to be related to FilesMatch.

    In Apache v1.3.31,

    <FilesMatch *.html>
    ForceType application/x-httpd-php
    </FilesMatch>

    would parse .html files through the php processor.

    in Apache v1.3.33

    <Files *.html>
    ForceType application/x-httpd-php
    </Files>

    has to be used.
     
  4. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    I thought all the apache problems were ironed out. I'm planning to do a upgrade on my system this weekend.. is it safe to run easyapache?
     
  5. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    We haven't had any problems whatsoever with Apache 1.3.33
     
  6. bman

    bman Well-Known Member

    Joined:
    Dec 28, 2003
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16

    me 2
    and belive me i have larg sites running cgi and php with more then 500 GB of monthly traffic and so far every thing is running ok
     
  7. kdr

    kdr Registered

    Joined:
    Aug 8, 2002
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Problem since updating apache

    Hi,

    I have a system for photographers that has been working smoothly for the last year. It uses PC software that helps the photographers automatically upload their photo events to their web site. Since updating apache the day before yesterday, the photographers are finding that their software cannot delete events as they always were able to do before.

    Techsupport at my server host say they can't help. But, the problem doesn't originate with the PC software, since that hasn't changed.

    There is no possible cause of this besides the apache update that I did based upon the notice in the WebHostManager main page.

    If anyone here can help me get my system working again, I'd be so thankful.

    Thank you,
    Karen
     
  8. fikse

    fikse Well-Known Member

    Joined:
    May 10, 2003
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
  9. visor24

    visor24 Registered

    Joined:
    Nov 2, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    So I take it cpanel thinks that there are no issues with this new apache and no fix will be coming out.

    So are we on our own ?
    If we upgrade and does not work, we have to fix it ?
     
  10. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    No problems on nearly a dozen servers here...

    Have you tried examining the /usr/local/apache/logs/error_log yourself? Most dedicated server providers provide just the hardware and no "end user support" - hence why they are probably unable to help.

    That doesn't necessarily mean that Apache is the cause of the problem. Bit like the 1999-2000 year change when web pages started showing "100" as the date: it wasn't the year change that was the problem, it was the faulty Javascript...
     
  11. Sinewy

    Sinewy Well-Known Member

    Joined:
    May 15, 2004
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney, Australia
    cPanel Access Level:
    DataCenter Provider
    apache 1.3.33 appears to be fine
     
  12. visor24

    visor24 Registered

    Joined:
    Nov 2, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    What is the security hole in apache 1.3.31 ?
    Is it root exploit ?
     
  13. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    According to the 1.3.33 changelog available from http://httpd.apache.org/ the changes since 1.3.31 include ( http://www.apache.org/dist/httpd/CHANGES_1.3 ) :

    *) SECURITY: CAN-2004-0940 (cve.mitre.org)
    mod_include: Fix potential buffer overflow with escaped characters
    in SSI tag string. [Martin Kraemer, Jim Jagielski]
    *) mod_rewrite: Fix query string handling for proxied URLs. PR 14518.
    [michael teitler <michael.teitler cetelem.fr>,
    Jan Kratochvil <rcpt-dev.AT.httpd.apache.org jankratochvil.net>]

    *) mod_rewrite: Fix 0 bytes write into random memory position.
    PR 31036. [André Malo]

    *) mod_digest: Fix nonce string calculation since 1.3.31 which
    would force re-authentication for every connection if
    AuthDigestRealmSeed was not configured. PR 30920. [Joe Orton]

    *) Trigger an error when a LoadModule directive attempts to
    load a module which is built-in. This is a common error when
    switching from a DSO build to a static build.
    [Jeff Trawick, Geoffrey Young]

    *) Fix trivial bug in mod_log_forensic that caused the child
    to seg fault when certain invalid requests were fired at it with
    forensic logging is enabled. PR 29313.
    [Will Slater <Will Slater orbisuk.com>]

    *) Fix memory leak in the cache handling of mod_rewrite. PR 27862.
    [chunyan sheng <shengperson yahoo.com>, André Malo]

    *) mod_rewrite no longer confuses the RewriteMap caches if
    different maps defined in different virtual hosts use the
    same map name. PR 26462. [André Malo]

    *) mod_setenvif: Remove "support" for Remote_User variable which
    never worked at all. PR 25725. [André Malo]

    *) mod_usertrack: Escape the cookie name before pasting into the
    regexp. [André Malo]

    *) Win32: Improve error reporting after a failed attempt to spawn a
    piped log process or rewrite map process. [Jeff Trawick]

    *) SECURITY: CAN-2004-0492 (cve.mitre.org)
    Reject responses from a remote server if sent an invalid (negative)
    Content-Length. [Mark Cox]

    *) Fix a bunch of cases where the return code of the regex compiler
    was not checked properly. This affects mod_usertrack and
    core. PR 28218. [André Malo]

    *) No longer breaks mod_dav, frontpage and others. Repair a patch
    in 1.3.31 which prevented discarding the request body for requests
    that will be keptalive but are not currently keptalive. PR 29237.
    [Jim Jagielski, Rasmus Lerdorf]

    *) COMPATIBILITY: Added new compile-time flag: UCN_OFF_HONOR_PHYSICAL_PORT.
    It controls how UseCanonicalName Off determines the port value if
    the client doesn't provide one in the Host header. If defined during
    compilation, UseCanonicalName Off will use the physical port number to
    generate the canonical name. If not defined, it tries the current Port
    value followed by the default port for the current scheme.
    [Jim Jagielski]
     
Loading...

Share This Page