(http://www.ietf.org/rfc/rfc2045.txt). All official MIME types are listed here: ftp://ftp.isi.edu/in-notes/iana/assignments/media-types/ (you should actually browse the FTP directory). A MIME type is official when it has been registered with IANA (Internet Assigned Numbers Authority, http://www.iana.org/). HTTP Protocol: RFC 2616 The Hypertext Transfer Protocol (HTTP) is the protocol used by browsers to request pages, and by the servers to send the requested pages. It is the very heart of the Web. HTTP is the protocol used by the browser to request documents, and of course by the server to send the requested files. Its latest version is 1.1, and it is formalized in RFC 2616 (http://www.ietf.org/rfc/rfc2616.txt). Like many other Internet protocols, HTTP is text based. This means that it is possible to connect to an HTTP server manually and observe what happens when a connection is established. The functionality of the HTTP protocol is quite simple: it is a request/response protocol, where the client requests a resource (also informally called a page) and the server provides a response. This is a typical HTTP request: GET /index.html HTTP/1.1 Host: www.apress.com As you can see, the only piece of information specified is the resource requested (/index.html), the protocol type (HTTP/1.1), and the host you are expecting to be connected to (www.apress.com). This last piece of information is required by HTTP 1.1, and is important in order to be able to apply to virtual domains properly (where a single IP address can manage several different domain names). This is a typical response message: HTTP/1.1 200 OK Date: Sat, 14 Sep 2002 10:58:19 GMT Server: Apache/2.0.40 (Unix) DAV/2 PHP/4.2.3 Last-Modified: Fri, 04 May 2001 00:01:18 GMT Accept-Ranges: bytes Content-Length: 1456 Content-Type: text/html; charset=ISO-8859-1 Content-Language: en <html> [ ] The web page here </html> The HTTP response header is placed before the body of the page in the response message. Also, there is an empty line between the HTTP request header and the message body. You can also request a GIF image in an HTML request, in which case you would get the following response: HTTP/1.1 200 OK Date: Sat, 14 Sep 2002 11:12:48 GMT Server: Apache/2.0.40 (Unix) DAV/2 PHP/4.2.3 Last-Modified: Tue, 24 Aug 1999 05:33:58 GMT ETag: "5ba6c-ec-be34bd80" Accept-Ranges: bytes Content-Length: 236 Content-Type: image/gif GIF89aÂÿÿ333!?NThis art is in the public domain. 8º?ñ0@«#?0ÚbAfhQ#ÌçG @WÓ5? (( ?ÅHàÕ<Äi8:Ö õ:N«U ?É1º ^î^;.ßø ú¥ ;^[[2 What comes after the HTTP header is the binary information that makes up the GIF file. Note This doesn't violate the earlier contention that the HTTP protocol is text based, because the binary information represents the payload and is not part of the protocol itself. Because HTTP is a textual protocol, you can connect to your Apache server directly using Telnet. For example: [merc@localhost merc]$ telnet localhost 80 Trying 127.0.0.1 Connected to localhost. Escape character is '^]'. GET /index.html HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Sun, 15 Sep 2002 06:48:00 GMT Server: Apache/2.0.40 (Unix) DAV/2 PHP/4.2.3 Last-Modified: Sun, 15 Sep 2002 06:47:46 GMT ETag: "20ae5-79-18b7e880" Accept-Ranges: bytes Content-Length: 121 Content-Type: text/html; charset=ISO-8859-1 <html> [ ] </html> Connection closed by foreign host. [merc@localhost merc]$ Note the empty line after the Host: header (the request was finished) and after the Content-Type: header in the response (the response headers were finished, and the page's body followed). Encoding Encoding is the means of converting data into a different format, while retaining the content. This is an important aspect for Apache security, because encoding can often be used to manipulate applications and to make them do things they are not supposed to. Unicode and UTF-8 Encoding The standard ASCII character set includes only 127 symbols, including letters, apostrophes, speech marks, tabs, the newline character, and other control characters. You can only represent writing in the English language using ASCII, because other languages need special letters (such as è, à, and so on) that are not included in the standard ASCII code. That is why several types of extended ASCII tables exist. They share the characters up to 127 with the ASCII code, and the symbols from 128 through 255 are used to define the extra characters exclusive to a particular language. This system has its own limitations: A document can contain only one set of characters, and you can't insert French, English, and Italian text in the same document. More importantly, some Asian languages need far more than the 128 extra symbols made available by the extended ASCII tables. This is why Unicode (http://www.unicode.org/) was created: it's a bigger character set and includes symbols for every natural language. Note that the ISO/IEC 10646-1 format is compatible with the Unicode standard, that is, they both define the same set of characters. Some programs may find Unicode hard to deal with, because it's a multi-byte character set. This means that every character is represented using two or four bytes, and this can cause great trouble for existing applications. For back-ward compatibility with older applications, the UTF-8 encoding standard is used. UTF-8 encoding is a standard encoding format used to represent Unicode characters in a stream of bytes. UTF-8 encoding is described in detail by RFC 2279 (http://www.ietf.org/rfc/rfc2279.txt). Note Before HTML 4.0, the standard encoding format for web pages was ISO 8859-1, the first of a set of more than ten different character sets that covered most European languages (they are identified by the number after the dash: 8859-1, 8859-2, 8859-3, and so on). Now, more and more software is Unicode- compatible. UTF-8 encoding of Unicode is convenient for several reasons, but especially because it is much easier to communicate with old applications using this encoding. Also, null-terminated strings are not changed by UTF-8, and US-ASCII strings are written in UTF-8 with no modifications. Note For advanced understanding of UTF-8 encoding, you may also refer to http://www.cl.cam.ac.uk/~mgk25/unicode.html. To display any Unicode characters on an HTML page, you have to use a special notation. Here, the euro symbol is represented by &#8364;: <H1> This is the euro sign: &#8364; </H1> Information related to this is documented at http://www.w3.org/TR/html401/charset.html. This notation is also necessary to display those characters that are considered special by HTML. For example, when you want to display the string <BR>, you can use this notation to represent the characters so that the browser does not interpret it as a tag: <H1> This is a tag: &#60;BR&#62; </H1> HTML has a list of entities that can be used to represent a symbol. An entity is a name used to identify a particular character. In case of <, the entity is lt and the notation is &lt; (including the semicolon). The following line will output the words "This is a tag: <BR>": <H1> This is a tag: &lt;BR&gt; </H1> Note Refer to http://www.w3.org/TR/REC-html40/sgml/entities.html for a comprehensive list of entities. To summarize: the most modern character set you can use is Unicode, whereas UTF-8 is the most convenient way of encoding Unicode for backward compatibility (as well as space saving when using English). If you want to display characters from your character set, you can use the &#NN; notation (where NN is the number allocated to the character/symbol), or the string &entity; (where entity is the entity name). Note Remember that the trailing semicolon is critical when writing an identity. URL Encoding Although UTF-8 and Unicode refer to the content of a page, URL encoding refers exclusively to URLs. On many occasions you need to encode some of the characters in a URL. In the important RFC 1738 (http://www.w3.org/Addressing/rfc1738.txt) you can read: Octets must be encoded if they have no corresponding graphic character within the US-ASCII coded character set, if the use of the corresponding character is unsafe, or if the corresponding character is reserved for some other interpretation within the particular URL scheme. There are several reasons why a character might be deemed "unsafe"—for example, when it has special meanings in particular contexts. For example, you cannot use a space in a URL, and you must therefore encode it. For more detailed information, please read RFC 1738. You cannot use non-ASCII characters in a URL, because there is no way to specify what character set you are using within the URL (and therefore determine how to render it properly). A string is URL-encoded by substituting any "unsafe" characters with a symbol (%) followed by two hexadecimal digits, which represent the character's corresponding US-ASCII code. For example, & becomes %26, the space becomes %20, and the string Tony & Anna becomes Tony%20%26%20Anna, or Tony+%26+Anna (the space can be encoded with a + for historical reasons). Note Using the + rather than %20 is only permitted in the query string, not in the network path portion of the URI. What Happens When You Serve a Page Knowing what happens when Apache serves a page will help you understand where some of the security issues arise, as well as how to fix them. The next sections details what happens when a request is issued to the web server, analyzing four common cases. A Static Page A static page is the simplest case, in which the requested resource is served to the client as it is, without any processing or execution of scripts. The client connects to the web server, and makes the request (for example, http://www.apress.com/index.html): GET /index.html HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla/4.79 [en] (X11; U; Linux 2.4.18-3 i686; Nav) Host: www.mobily.com Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 The server locates the requested file (index.html), and determines its MIME type (using the mime.types file), which is found to be text/html in this case. Then it sends a response that is composed of the headers, an empty line, and the contents of the index.html file. The client displays the page as an HTML document, executing any JavaScript code according to its security preferences. For more information about security problems in browsers, please read http://www.guninski.com/browsers.html and http://www.guninski.com/netscape.html. A CGI Script with POST A POST request is made when users submit data after they have filled out an online form, if the method used is POST. For example, consider a page called form.html that contains the following code: <FORM ACTION="/here.pl" METHOD="POST"> <INPUT TYPE="TEXT" NAME="name" MAXLENGTH="10"> Name <INPUT TYPE="TEXT" NAME="surname" MAXLENGTH="10"> Surname <INPUT TYPE="submit"> </FORM> Figure B-1 shows how it is displayed on the browser. Figure B-1: A simple form. Suppose that the user enters Tony & in the name field, and Mobily in the surname field. After pressing the Submit Query button, here is what would happen: The client URL-encodes the data keyed by the user. The encoded result would be name=Tony+%26&surname=Mobily. Note that: The & character keyed in by the user is encoded into %26. The fields are separated by the special character &. The first half of the line (name=Tony+%26) is related to the name field, which is assigned the value Tony+%26 with the special character =. The space is converted into a +. The second half of the line (surname=Mobily) is related to the surname field, which is assigned the value Mobily. It doesn't need any encoding. The characters &, =, and + are special; if they weren't escaped, the CGI program wouldn't be able to tell the difference between the characters keyed in by the user, and the ones used to compose a correct query string. 1. The server receives the request, which would contain the user's input information. Here is an example request: POST /here.pl HTTP/1.0 Referer: http://www.mobily.com/form.html Connection: Keep-Alive User-Agent: Mozilla/4.79 [en] (X11; U; Linux 2.4.18-3 i686; Nav) Host: localhost:8080 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 Content-type: application/x-www-form-urlencoded Content-length: 28 2. name=Tony+%26&surname=Mobily Notice that after a POST command, the web server waits for additional information (in this case name=Tony+%26&surname=Mobily) up to Content-length bytes or the end of file, separated from the request's headers by an empty line. The server runs the here.pl program after preparing its environment, that is, a set of environment variables used to contain information about the page. The program receives the input from the user (which is URL-encoded) from its standard input. The output generated by the program here.pl is likely to be a web page, but it could just as easily be a GIF image or something else. The program also includes the header that defines the MIME-Type of the response. 3. The web server adds any missing headers, and returns the output generated by the program to the client.4. The client displays the page according to the MIME type defined by the script in the Content-type header.5. A CGI Script with GET You can submit a web form using HTTP's GET command. It is more or less similar to the POST method. The only criteria that change are: The way the form is coded. A form that generates a GET request would start with: <FORM action="http://localhost/here.pl" METHOD="GET"> Notice that the value of the attribute METHOD is GET instead of POST. 1. The request sent by the browser. The query string is still URL-encoded, but it follows the HTTP command GET. For example: GET /here.pl?name=Mobily+%26&surname=Tony HTTP/1.0 Referer: http://www.mobily.com/form.html Connection: Keep-Alive User-Agent: Mozilla/4.79 [en] (X11; U; Linux 2.4.18-3 i686; Nav) Host: localhost:8080 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 2. The way the script receives the information. The here.pl script receives the string name=Tony+%26&surname=Mobily through the environment variable QUERY_STRING. The web server sets this variable just before running the script. The only problem with this method is that you have to be careful about the size of content stored in environment variables, because they can only hold between 1K and 4K, depending on the operating system you use. Often, this limit can be reached in complex scripts. 3. The query string is visibly appended to the URL. Therefore, it appears in logs, and in the address bar of the browser. This makes the query string vulnerable to manipulation and misuse by the user. 4. 4. A Dynamic Page The server processes a dynamic page before sending it back to the browser. It can be seen as a faster substitute of the CGI mechanism; dynamic pages are very popular, because they allow web designers to insert code directly into HTML pages. A dynamic page written in PHP can look like this: <H1> Welcome! </H1> <? print("Testing the script!<BR>\n"); ?> The result page would be: <H1> Welcome! </H1> Testing the script!<BR> This is what happens when a PHP dynamic page is requested: The client connects to the web server, and makes the request (for example http://www.mobily.com/dynamic.php). The request could be done in two ways: through a POST command or through a GET command. In both cases, PHP deals directly with the information coming from the request, and makes sure that the information is readily available to the script. 1. Apache retrieves the requested file (which contains some code), and passes it to the PHP interpreter module. 2. The interpreter module returns the page to the main Apache server, after modifying it. This means that the chunks of code in the page are executed, and that their output is placed where the code was. 3. The server sends the response, which is composed of the headers, an empty line, and the modified page.4. The procedure is basically the same as the one followed by a static page, but there are many similarities with CGI scripts in terms of how the requests are received. Other Request Types The GET and POST requests are only two of the types available in HTTP. The others are: HEAD: Only returns the headers in response to a request, without the response's body PUT: Used to store a resource on the web server DELETE: Used to delete a resource OPTIONS: Used to request information about communication options with the web server Please refer to RFC 2616 for more detailed information on HTTP headers. Conclusions A sound knowledge of all the technologies involved in Apache (and the web in general) is necessary to understand most of Apache's vulnerabilities. There is a considerable amount of information to study, and the fact that web technologies are always changing doesn't help. You should therefore keep your knowledge updated, constantly reading the available documentation and keeping an eye on emerging and promising standards. Appendix C: Chapter Checkpoints The checkpoints from each chapter are provided here for quick reference. Chapter 1: Secure Installation and Configuration Obtain the Apache package from a secure source (such as http://httpd.apache.org), or your distribution's FTP site or CD-ROM. Check the integrity of the package you obtain (using GnuPG, MD5, or the tools provided by your distribution). Be aware of exactly what each directive does, and what possible consequences they have for your server's security. You should configure Apache so that httpd.conf contains only the directives you actually need. Apply all the basic security checks on your configuration: file permissions, protection of root's home page, deletion of any default files, disabling of any extra information on your server, and disabling of the TRACE method. Make sure that you have protected important files (such as .htaccess) using mod_access; and make sure that you need to make minimal modifications to your httpd.conf file (uncomment specific, prewritten lines) to block a particular IP address. Learn a little about mod_rewrite, and use it to prevent people from using your web site's images. Install and configure SSL (when required) using the latest SSL implementation available; obtain a valid certificate from a Certificate Authority. Test your installation's strength using an automatic auditing program (such as Nikto, Nessus, SAINT, or SARA). [...]... using mod_parmguard with, 150 Apache in jail Apache, 1 89 191 chroot, 1 79 183 debugging, 191 – 193 installing, 1 89 libraries in, 188–1 89 name resolution files for, 186–187 preparing, 183–1 89 security issues related to, 199 –200 starting Apache from, 193 user and group system files for, 185–186 using Perl with, 194 – 197 using PHP with, 197 – 199 zone information files for, 188 Apache modules See also security... 100–102 warnings about, 100–102 Apache packages checking, 9 verifying download of, 6 9 Apache servers checking security of, 14–15 secure configuration of, 19 27 using ps command with, 14 Apache signatures, using with GnuPG, 5–6 Apache startup script, creating link to, 193 Apache vulnerabilities CAN-2001- 092 5: Results Can Cause Directory Listing to Be Displayed, 45–47 CAN-2002-0 392 : Chunked Encoding, 45–47... directives, 29 Apache advisory about downloading of, 2 checking with GnuPG, 2–10 downloading correct version of, 1–10 downloading source for, 2 and dynamic modules, 10–13 modularity of, 100 running, 14 starting at boot time, 193 testing with Nikto, 14– 19 web site for, 2, 6, 56, 1 69 and XSS (cross-site scripting), 92 94 Apache 2.x installing, 12–13 installing mod_ssl for, 34–35 using mod_parmguard with, 150 Apache. .. POST requests, 2 49 251 problems associated with, 26–27 CGI variables, using with mod_security, 116–117 character encoding and escaping in message_board.php script, significance of, 90 92 characters, "unsafe" status of, 248 chmod 777 notation, explanation of, 185 chroot advisory about, 1 89 advisory about using with Perl and Apache in jail, 197 confining Apache with, 1 79 180 executing, 1 79 in practice,... mod_security, 118 httpd, running on Apache in jail, 190 – 191 httpd.conf file configuring Apache from, 19 24 defining directives in, 25–26 modifying for logging customization, 79 modifying for mod_bandwidth, 127 modifying for mod_doevasive, 1 39 modifying for mod_hackdetect, 173–174 modifying for mod_hackprotect, 171 modifying for mod_hackprotect and mod_hackdetect, 1 69 modifying for mod_parmguard, 150, 153, 156... on mod_parmguard, 165–167 DELETE requests, effect of, 254 Deny versus Allow directives, 29 /dev/random file, creating, 191 – 193 digital signatures, role in asymmetric encryption, 4 directives, defining in httpd conf file, 25–26 directories creating for Apache in jail, 184–185 enforcing security of, 25 protecting, 1 69 disk space, planning for log files, 60–61 DOS (Denial of Service) attacks, effects of,... related to, 99 See also mod_bandwidth BandWidth directive of mod_bandwidth, using, 130–131 BandWidthDataDir global directive of mod_bandwidth, using, 128 BandWidthModule global directive of mod_bandwidth, using, 128–1 29 BandWidthPulse global directive of mod_bandwidth, using, 1 29 130 bash using chroot with, 180–183 using with automated security scripts, 235 block devices, creating for Apache in jail,... group files, creating for Apache in jail, 185–186 grubbybaby module, accessing, 76 Guninski, Georgi web address, 238 Index H HackProtectFile directive of mod_hackprotect, using, 172 HackProtectMaxAttempts directive of mod_hackprotect, using, 172 hash value, role in asymmetric encryption, 4 HEAD requests, effect of, 254 header() function in PHP, using with character encoding, 91 HeaderName configuration... 2 39 HTML (Hyper Text Markup Language) entities in, 247 overview of, 242–243 HTML information, relationship to XSS attacks, 87 90 HTML pages, displaying Unicode characters on, 247 htmlspider.pl, purpose of, 164 HTTP error 506, managing for mod_parmguard.xml file, 163 HTTP Protocol: RFC 2616, overview of, 244–246 HTTP_header location, using with mod_security, 118 httpd, running on Apache in jail, 190 – 191 ... Directory Listing to Be Displayed, 45–47 CAN-2002-0 392 : Chunked Encoding, 45–47 CAN-2002-0656: SSL Buffer Overflow Problem, 51–54 Apache Week, web address for, 45, 237 apache_ alive security script code for, 211–213 features of, 213 application bugs, security concerns related to, 99 SCII character set, limitation of, 246 asymmetric encryption, relationship to GnuPG, 3–4 attacks, types of, 44 audit_check . 150 Apache in jail Apache, 1 89 191 chroot, 1 79 183 debugging, 191 – 193 installing, 1 89 libraries in, 188–1 89 name resolution files for, 186–187 preparing, 183–1 89 security issues related to, 199 –200 starting. related to, 199 –200 starting Apache from, 193 user and group system files for, 185–186 using Perl with, 194 – 197 using PHP with, 197 – 199 zone information files for, 188 Apache modules. See also security. time, 193 testing with Nikto, 14– 19 web site for, 2, 6, 56, 1 69 and XSS (cross-site scripting), 92 94 Apache 2.x installing, 12–13 installing mod_ssl for, 34–35 using mod_parmguard with, 150 Apache