For best results: this site requires that cookies be enabled for proper operation - see Legal Page for more info

Starting December 1, 2006 Techsinfo.be will no longer be available please update your links to http://techinfo.e2uhosting.net Thank you

Select Any of These

Apache Server Bugs

LAST UPDATED: Tuesday, 27 March 2007 08:41:57 +0100

APACHE 1.2 BUGS   APACHE 1.3.0 BUGS    APACHE 1.3.0 BUGS    APACHE 1.3A1 BUGS

APACHE 1.3B2 BUGS    APACHE 1.3B3 BUGS    APACHE 1.3B5 BUGS    APACHE 1.3B7 BUGS 

APACHE FILE DISCLOSURE BUG    APACHE MOD_COOKIES BUFFER OVERFLOW

APACHE TMP FILES

APACHE 1.3B2 BUGS

If you're running your Web server on Apache 1.3b2, you should be aware of a couple of known bugs specific to running on Windows 32 only:
- CGI scripts that are called with information appended to the script name that does NOT have an equal sign (=) in it do not work.
- Passwords stored in htpasswd files need to be stored in plain text, since we do not yet have a crypt() under Win32.
- In Windows 95, DirectoryIndex does not work.
- In some versions of Windows 95, CGI scripts fail and paths given with #! must contain a backslash (\) instead of a forward slash (/).
- When a CGI starts with #! to indicate an interpreter, there must be no space between #! and the path.
--If the CGI program cannot run, Apache logs a "premature end-of-headers" error instead of an error about running the program. 

You can get patches and more info on these bugs from the Apache Web site at the following address:

http://bugs.apache.org/index 

APACHE 1.3.4 BUGS

If you're running your Web server on Apache 1.3.4, you should be aware of a couple of known bugs. First, for Windows 32 only, Apache will not serve file names starting with COM or containing .COM. Instead it will respond with a 403 Forbidden message, and log the error "Filename is not valid." For Unix only, "make install" fails on some operating systems. This occurs when the operating system version of tar does not support the h option. It has been reported on SCO and BSDI. It does not affect systems that use GNU tar. You can get more info on these bugs from the Apache Web site at the following address:

http://bugs.apache.org/index

APACHE 1.3B5 BUGS

If you're running your Web server on Apache 1.3b5, you should be aware of a couple of known bugs, including the following:
- Certain mod_rewrite configurations do not work correctly.
- Using multiple arguments to UserDir does not work correctly.
- AbsoluteURI parsing is broken, so the proxy won't work.
- Use of #! at the start of a CGI script file does not work unless the interpreter file name includes the extension (that is,
#!c:/bin/perl.exe instead of #!c:/bin/perl).
- When installed as a service, Apache expects to find its ServerRoot at \Apache on the system disk.
- The Alias directive does not work if the target is a root directory, as in D:/.
- Repeated concurrent requests to a CGI program can cause Apache to lock up.

You can get patches and more info on these bugs from the Apache Web site at the following address:

http://bugs.apache.org/index

APACHE 1.2 BUGS

If you're running your Web server on Apache 1.2.4, you should be aware of several known bugs, including the following:
- On some architectures, if your configuration uses multiple Listen directives the server may starve one of the sockets while serving hits on another.
- The PATH_INFO part of a request URI cannot include the sequence %2f.
- Users of early 1.2 betas reported problems with many connections that got stuck in the FIN_WAIT_2 state due to server timeouts.
- SunOS4 has a kernel bug in the allocation of memory for the mbuf  table. When it fills up, the result is a Panic the next time any routine tries to set something in an imaginary mbuf beyond the range of the table. Due to buggy browser behavior and the lack of a FIN_WAIT_2 timeout on SunOS4, "KeepAlive Off" is necessary to avoid filling up the mbuf table on busy sites.
- Compiling on Solaris 2 with SunSoft's C compiler gives the warning "'mod_include.c', line 1123: warning: end-of-loop code not reached." 

This is a bogus warning and can be ignored. See PR#681 at this URL:

http://bugs.apache.org/index/full/681

APACHE 1.3.0 BUGS

If you're running your Web server on Apache 1.3.0, you should be aware of a couple of known bugs. First, if you're running on NT, "#exec cmd" in SSI pages does not work. No fix is available yet. Also on NT, mod_rewrite doesn't properly spawn children for logging and URL mapping. This has been fixed in 1.3.1.

APACHE 1.3B7 BUGS 

If you're running your Web server on Apache 1.3b7, you should be aware of a couple of known bugs. In Windows 32, CGI  scripts do not work because of two problems. First, the CGI environment variables are not passed on to the script. Secondly, the current working directory of the script is not set, which affects scripts that rely on the directory being set to the directory containing the CGI program itself (although this is not a requirement of the CGI/1.1 specification). These bugs have been fixed in 1.3.0. Second, the $ character inside an SSI directive is not correctly interpreted unless it marks the start of a variable. In particular, it does not work for marking the end of line in a regular expression. This bug has been fixed in 1.3.0.

APACHE 1.3B3 BUGS

If you're running your Web server on Apache 1.3b3, you should be aware of a couple of known bugs, including the following:

*Building from source may fail because the buildmark.obj file does not exist. Edit Makefile.nt and replace the line

del CoreR\buildmark.obj

with

-del CoreR\buildmark.obj

Do the same for del CoreD\buildmark.obj. 

*Solaris 2.6 users may have troubles compiling the server with gcc. As is frequently the case with gcc compilation troubles, this is the result of an improperly built gcc. The gcc for Solaris 2.6 found at

http://www.sunfreeware.com

is now built with the release version of Solaris 2.6. The release version of Solaris 2.6 changed a few header files enough so the beta-built gcc won't work with it.
*When installed as a service, Apache expects to find its ServerRoot at \Apache on the system disk.
*The Alias directive does not work if the target is a root directory, such as D:/.
* Repeated concurrent requests to a CGI program can cause Apache to lock up.

APACHE 1.3A1 BUGS

If you're running your Web server on Apache 1.3a1, you should be aware of a couple of known bugs. First, the Listen directive does not work when running under Windows. Also, for some reason, mod_isapi does not work with Windows when compiled using the Release setting; it will crash the server whenever you access an ISA DLL. It works fine when the server is compiled with Debug.

APACHE MOD_COOKIES BUFFER OVERFLOW

Certain versions of the Apache Web server shipped with a remotely exploitable buffer overflow attack. The function make_cookie in mod_cookies.c uses a 100-byte buffer. If remote attackers provide more than 100 bytes, they could gain access to the server running Apache.

This particular vulnerability is not present in any version of the Apache Server after 1.1. For more information, browse to

http://www.apache.org

APACHE FILE DISCLOSURE BUG

When used in conjunction with the PHP3 scripting language, Apache Web Server can be tricked into disclosing files to unauthorized users. A PHP request of a specially crafted URL will grant a malicious user read access to any known file that resides on the target computer.

Successful exploitation of this vulnerability could disclose sensitive information and possibly assist in further attacks against the system. As of the writing of this tip, there are no fixes for this bug.

Concerned users are urged to contact Apache for more information.

http://www.apache.org

Questions?

Just Check out some of our sponsors

Shop at BestPrices.Com!

COPYRIGHT 1998 - 2007 All names used are Trademarks of the respective companies