One of the goals of Apache/2.0 was to better support operating systems other than Unix. While the Windows version of Apache/1.3 was advertised as experimental, it was hoped that in Apache/2.0 it would become much more widely established. However, since the first general release of Apache/2.0 there have been a string of security problems in the Windows (and other non-Unix) versions that may undermine confidence in the suitability of Apache for these platforms.

Windows Apache entries listed at mitre.org’s common vulnerabilities database include directory traversal using dot-dot paths, revealing script source by appending invalid characters, and DOS device names causing a denial-of-service. The striking thing is that these are sterotypical vulnerabilities that over the years many other products have suffered from, and fixed. Apache developers will be disappointed that they were not able to learn from other people’s mistakes sufficiently well to pre-empt the same vulnerabilities appearing in their own server.

In the current month’s survey we find over 16,000 Apache Win32 sites on the ‘Web which may be vulnerable to one of these problems.

Notwithstanding the security problems, the support for threading in Apache/2.0 is a major performance breakthrough for the Windows version and consquently sites using Apache on Windows have a bigger incentive to upgrade to version 2 than sites on Unix. This is reflected in the relative uptake of Apache/2.0: a little over 1% of all Apache sites are running version 2, but amongst Windows servers the proportion is over 7%.