You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bu...@apache.org on 2012/05/06 16:18:10 UTC
svn commit: r816029 [18/23] - in /websites/staging/httpd/trunk/content: ./
apreq/ apreq/docs/ apreq/docs/libapreq2/ contributors/ css/ dev/
dev/images/ dev/whiteboard/ docs-project/ docs/ images/ info/
info/css-security/ library/ mod_fcgid/ mod_ftp/ mo...
Added: websites/staging/httpd/trunk/content/info/apache_users.html
==============================================================================
--- websites/staging/httpd/trunk/content/info/apache_users.html (added)
+++ websites/staging/httpd/trunk/content/info/apache_users.html Sun May 6 14:18:02 2012
@@ -0,0 +1,740 @@
+<HTML>
+<HEAD>
+<TITLE>Users of Apache</TITLE>
+</HEAD>
+<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
+<BODY
+ BGCOLOR="#FFFFFF"
+ TEXT="#000000"
+ LINK="#0000FF"
+ VLINK="#000080"
+ ALINK="#FF0000"
+>
+<DIV ALIGN="CENTER">
+<IMG
+ SRC="../images/apache_sub.gif"
+ ALT="[APACHE DOCUMENTATION]"
+>
+</DIV>
+
+<H1 ALIGN="CENTER">
+The<BR>"Proud to run <A HREF="/">Apache</A>"<BR>list</H1>
+
+<P>
+This is a list of sites that <STRONG>asked</STRONG> to be recorded
+as running Apache.
+</P>
+
+<P>
+The list represents only a small fraction of the total number of sites
+that run Apache. See the link(s) at the bottom of this page for pointers
+to much larger lists.
+</P>
+
+<DL>
+<DT><A HREF="http://www.apache.org/">The Apache Project</A></DT>
+ <DD>The developers trust it :-)</DD>
+
+<HR WIDTH="20%">
+
+<HR><P>
+<STRONG>
+<A HREF="#ahook">A</A> | <A HREF="#bhook">B</A> | <A HREF="#chook">C</A> | <A HREF="#dhook">D</A> | <A HREF="#ehook">E</A> | <A HREF="#fhook">F</A> | <A HREF="#ghook">G</A> | <A HREF="#hhook">H</A> | <A HREF="#ihook">I</A> | <A HREF="#jhook">J</A> | <A HREF="#khook">K</A> | <A HREF="#lhook">L</A> | <A HREF="#mhook">M</A> | <A HREF="#nhook">N</A> | <A HREF="#ohook">O</A> | <A HREF="#phook">P</A> | <A HREF="#qhook">Q</A> | <A HREF="#rhook">R</A> | <A HREF="#shook">S</A> | <A HREF="#thook">T</A> | <A HREF="#uhook">U</A> | <A HREF="#vhook">V</A> | <A HREF="#whook">W</A> | <A HREF="#xhook">X</A> | <A HREF="#yhook">Y</A> | <A HREF="#zhook">Z</A>
+</STRONG>
+<P><HR>
+
+<P><DT><STRONG>A...</STRONG></DT>
+
+<A NAME="ahook"></A>
+<DT><A HREF="http://www.abast.es/">Abast Systems, S.A.</A></DT>
+ <DD>An HP service provider at Barcelona</DD>
+
+<DT><A HREF="http://www.achilles.net/">Achilles Internet Ltd.</A></DT>
+ <DD>Internet Service and Presence Provider in Ottawa, Ontario, Canada.</DD>
+
+<DT><A HREF="http://www.adnet.ie/">Adnet - Ireland's Interactive Resource Directory</A></DT>
+ <DD>Fred Hanna's Bookstore, U2 Interview, Knickerbox Lingerie, the Explorer magazine, and much more...</DD>
+
+<DT><A HREF="http://www.adsweb.com/">ADSweb</A></DT>
+ <DD>A webspace provider in St. Louis, MO</DD>
+
+<DT><A HREF="http://www.advcs.com/">Advanced Computing Solutions</A></DT>
+ <DD>The best prices on software, hardware and related accessories on the 'Net!</DD>
+
+<DT><A HREF="http://nz.com/">Akiko International</A></DT>
+ <DD>New Zealand on the Web</DD>
+
+<DT><A HREF="http://ugweb.cs.ualberta.ca">University of Alberta Computing Science</A></DT>
+ <DD>University of Alberta Undergraduate Computing Science Labs</DD>
+
+<DT><A HREF="http://www.algonet.se">Algonet</A></DT>
+ <DD>Algonet - Your Internetsupplier in Sweden.</DD>
+
+<DT><A HREF="http://www.aros.net/">ArosNet</A></DT>
+ <DD>An ISP in Salt Lake City, UT. Complete solutions for business.</DD>
+
+<DT><A HREF="http://www.atlantic.com/">Atlantic Computing Technology Corporation</A></DT>
+ <DD>An Internet consulting firm in Connecticut</DD>
+
+<DT><A HREF="http://www.nla.gov.au">National Library of Australia</A></DT>
+
+<DT><A HREF="http://ftp.ua.pt/">University of Aveiro Software Archive</A></DT>
+ <DD>The biggest software archive in Portugal</DD>
+
+<DT><A HREF="http://www.axxel.nl/">The Home of AXXEL.NL Internet</A></DT>
+ <DD>We trust the developers who trust Apache...:-)</DD>
+
+<A NAME="bhook"></A>
+<P><DT><STRONG>B...</STRONG></DT>
+
+<DT><A HREF="http://www.bns.ee/">Baltic News Service</A></DT>
+ <DD>Newswire about Baltics</DD>
+
+<DT><A HREF="http://www.blackhills.com/">Internet Services of the Black Hills</A></DT>
+ <DD>3 websites up, more to come ;-)</DD>
+
+
+<DT><A HREF="http://www.bayscenes.com/">BayScenes</A></DT>
+ <DD>Unique products and services of Northern California</DD>
+
+<DT><A HREF="http://BowlingGreen.KY.net/">Bowling Green, KY</A></DT>
+<DD>Bowling Green's Internet presence (<A HREF="http://www.KY.net/kiwi/">KIWI</A>)</DD>
+
+<DT><A HREF="http://www.telescope.org/">Bradford Robotic Telescope</A></DT>
+ <DD>An autonomous telescope controlled by the Web</DD>
+
+<DT><A HREF="http://www.buzznet.com/">Buzznet</A></DT>
+ <DD>The cultural voice of the online generation</DD>
+
+<A NAME="chook"></A>
+<P><DT><STRONG>C...</STRONG></DT>
+
+<DT><A HREF="http://www.epibiostat.ucsf.edu/">University of California San Francisco Department of Epidemiology and Biostatistics</A></DT>
+ <DD>Maintainers of the World Wide Web Virtual Library: Epidemiology Page</DD>
+
+<DT><A HREF="http://ucsee.EECS.Berkeley.EDU/">University of California Society of Electrical Engineers</A></DT>
+ <DD>Student-run server at the University of California at Berkeley.</DD>
+
+<DT><A HREF="http://www.caprica.com/">Caprica Internet Services</A></DT>
+ <DD>Southern California's Original Internet Provider!</DD>
+
+<DT><A HREF="http://www.cm.cf.ac.uk/">Cardiff University Computer Science</A></DT>
+ <DD>Home for the Interenet Movie Database and more.</DD>
+
+<DT><A HREF="http://www.careersite.com/">Virtual Resources' <EM>CareerSite</EM> employment service</A></DT>
+<DD>Concept­based profile matching helps job hunters & human resources.</DD>
+
+<DT><A HREF="http://www.cetlink.net/">CetLink.Net</A></DT>
+ <DD>South Carolina ISP and advanced networking services company.</DD>
+
+<DT><A HREF="http://www.cistron.nl/">Cistron Internet Services</A></DT>
+ <DD>An independent Dutch Internet provider.</DD>
+
+<DT><A HREF="http://www.cityline.it">CityLine</A></DT>
+ <DD>Internet business service in Brescia (Italy)</DD>
+
+<DT><A HREF="http://www.dom.de/">DOM ->Cologne - where else?</A></DT>
+ <DD>The best smelling machine on the WEB 8-()</DD>
+
+<DT><A HREF="http://www.cts.richmond.va.us/">Commonwealth Technical Services</A></DT>
+ <DD>Custom built computers, Web services, netowrking, etc...</DD>
+
+<DT><A HREF="http://www.c2.org/">Community ConneXion</A></DT>
+ <DD>ISP in Berkeley, CA. Specializes in privacy.</DD>
+
+<DT><A HREF="http://www.tcp.com/">The Commnet Projetc</A></DT>
+ <DD>Anime Archives, e-zines and personal web pages</DD>
+
+<DT><A HREF="http://www.compusult.nf.ca/">Compusult Limited</A></DT>
+ <DD>Software Development and Systems Integration</DD>
+
+<DT><A HREF="http://www.cdepot.net/">The Computer Depot</A></DT>
+ <DD>Amador County, California, Internet Provider</DD>
+
+<DT><A HREF="http://www.cforc.com/">Computers For Christ</A></DT>
+ <DD>Christian Computer Ministry</DD>
+
+<DT><A HREF="http://www.cst.com.au/">Creative Software Technologies</A></DT>
+ <DD>Videoconferencing and multimedia applications</DD>
+
+<DT><A HREF="http://www.univ-rennes1.fr/">CRI Universite de Rennes 1 (France)</A></DT>
+ <DD>Many thanks to the APACHE team.</DD>
+
+<DT><A HREF="http://cyberspc.mb.ca/">Cyberspace Online Information Services</A></DT>
+ <DD>ISP - Winnipeg, Manitoba, Canada</DD>
+
+<A NAME="dhook"></A>
+<P><DT><STRONG>D...</STRONG></DT>
+
+<DT><A HREF="http://www.dal.net/">The DALnet IRC Network</A></DT>
+ <DD>Friendly, easy-to-use, secure, fun Internet communication.</DD>
+
+<DT><A HREF="http://www.dataway.ch/">dataway</A></DT>
+ <DD>An Internet Service and WWW Provider in Winterthur, Switzerland.</DD>
+
+<DT><A HREF="http://www.davidbowie.com/">David Bowie Outside</A></DT>
+ <DD>Tour info, sound samples, concepts and other happenings<DD>
+
+<DT><A HREF="http://www.cardinal.wisc.edu/">The Digital Cardinal at the
+UW-Madison</A></DT>
+ <DD>The UW-Madison's student newspaper</DD>
+
+<DT><A HREF="http://www.digimark.net/">Digital Marketing, Inc.</A></DT>
+ <DD>Comprehensive Internet Presence Services.</DD>
+
+<DT><A HREF="http://www.reflections.com.au">Digital Reflections</A></DT>
+ <DD>Giving YOU an Internet Presence.</DD>
+
+<DT><A HREF="http://www.daft.com/">Discordian Alliance For Teaching</A></DT>
+ <DD>Installation, maintenance and training for Information Publishing on the N
+ et.</DD>
+
+<DT><A HREF="http://www.discpro.org/">DISCovery Productions</A></DT>
+ <DD>Dedicated to regional and ethnic folk music (emphasis on Flamenco and Andean)</DD>
+
+<DT><A HREF="http://www.dragon.net.au/">Dragon Net</A></DT>
+ <DD>Internet Service Provider and Web Developers in Syndey, AUSTRALIA.
+
+<A NAME="ehook"></A>
+<P><DT><STRONG>E...</STRONG></DT>
+
+<DT><A HREF="http://www.ecstatic.com/">Ecstatic Communications</A></DT>
+ <DD>Multimedia Productions (Apache on MachTen 2.2 Unix on MacOs 7.5.1 Rules!)</DD>
+
+<DT><A HREF="http://www.ekspress.ee/">Eesti Ekspress</A></DT>
+ <DD>Estonian Ekspress - largest weekly newspaper in Estonia</DD>
+
+<DT><A HREF="http://www.efrei.fr/">EFREI</A></DT>
+ <DD>Ecole Francaise d'Electronique et d'Informatique - PARIS</DD>
+
+<DT><A HREF="http://www.empire.net/">Empire.Net, Inc.</A></DT>
+ <DD>Full Service WWW Hosting and Design Internet Provider</DD>
+
+<DT><A HREF="http://equinet.com/">EQUINET - Horses! on the Internet</A></DT>
+ <DD>Premier site for equestrian products, services and the buying & selling horses.</DD>
+
+<DT><A HREF="http://www.esquadro.com.br/">Esquadro ISP</A></DT>
+ <DD>Internet Acess and Service Provider in Rio de Janeiro, Brazil:-)</DD>
+
+<DT><A HREF="http://travel.digit.ee/">Estonian Travel Guide</A></DT>
+ <DD>Your source to Estonian travel information</DD>
+
+<DT><A HREF="http://www.efi.joensuu.fi/">European Forest Institute</A></DT>
+ <DD>An independent non-governmental organization conducting European forest research</DD>
+
+<DT><A HREF="http://www.imec.be/europractice/europractice.html">The EUROPRACTICE Project</A></DT>
+ <DD>The Small Volume and Prototype Silicon Processing Initiative of the EEC</DD>
+
+<DT><A HREF="http://www.xtc.net/">Expanding Technologies</A></DT>
+ <DD>NorthEast Tennessee's hottest ISP / Web Developer</DD>
+
+<A NAME="fhook"></A>
+<P><DT><STRONG>F...</STRONG></DT>
+
+<DT><A HREF="http://www.flora.ottawa.on.ca/">Flora St. Community WEB</A></DT>
+ <DD>Home/volunteer site of consultant: Flora St,Ottawa,Canada.</DD>
+
+<DT><A HREF="http://www.teaser.fr/">France-Teaser</A><DT>
+ <DD>French Internet Service Provider</DD>
+
+<DT><A HREF="http://www.frankfurt.de/">Frankfurt Digital Marketplace</A></DT>
+ <DD>The Frankfurt server</DD>
+
+<DT><A HREF="http://www.freebsd.org/">FreeBSD</A></DT>
+ <DD>FreeBSD Web Site</DD>
+
+<A NAME="ghook"></A>
+<P><DT><STRONG>G...</STRONG></DT>
+
+<DT><A HREF="http://www.galaxy.net/">Galaxy Networks</A></DT>
+ <DD>Internet Service Provider and Web Site in New Jersey</DD>
+
+<DT><A HREF="http://www.getnet.com/">GetNet International</A></DT>
+ <DD>Internet Service/Network/Presence Provider, Phoenix, AZ</DD>
+
+<DT><A HREF="http://www.gospelcom.net/">Gospel Communications Network</A></DT>
+ <DD>Online Christian Resources</DD>
+
+<DT><A HREF="http://bull.got.kth.se">BULL.GOT.KTH.SE</A></DT>
+ <DD>The student's server at the Gotland College of Higher Education</DD>
+
+<DT><A HREF="http://www.greyhawkes.com/">Greyhawkes Cyberservices</A></DT>
+ <DD> Web Services, Consulting & Training</DD>
+
+<A NAME="hhook"></A>
+<P><DT><STRONG>H...</STRONG></DT>
+
+<DT><A HREF="http://www.rvs.uni-hannover.de/">University of Hannover, RVS</A></DT>
+ <DD>Lehrgebiet Rechnernetze und Verteilte Systeme</DD>
+
+<DT><A HREF="http://harvard.net/">HarvardNET</A></DT>
+ <DD>Internet Service Provider in Boston, 5 BSDI Web Servers, 100+ virtual domains</DD>
+
+<DT><A HREF="http://www.hway.com/">Hiway Technologies, Inc.</A></DT>
+ <DD>Specializing in virtual domain web space rental.</DD>
+
+<DT><A HREF="http://www.ci.houston.tx.us">The City of Houston, Texas</A></DT>
+ <DD>The City of Houston, Texas WWW Server</DD>
+
+<DT> <A HREF="http://www.uth.tmc.edu/">The UT Houston Health Science Center</A>
+ <DD>Information Resources for UTH faculty, staff and students.
+
+<DT><A HREF="http://www.nightflight.com/">Home Page Services, Free Classified Ads</A></DT>
+ <DD>Low cost, high quality :-)</DD>
+
+<DT><A HREF="http://www.station.net/">Hong Kong Internet Station</A></DT>
+ <DD>A ISP in Hong Kong. We run both Apache and Apache+SSL.</DD>
+
+<DT><A HREF="http://www.hotwired.com/">HotWired</A></DT>
+ <DD>No description necessary.</DD>
+
+<DT><A HREF="http://www.hyperreal.org/">Hyperreal</A></DT>
+ <DD>The Techno/Ambient/Alternative Culture Archives</DD>
+
+<DT><A HREF="http://www.hypersurf.com/">Hypersurf Internet Services</A></DT>
+ <DD>Hypersurf provides dialup, as well as web hosting to the East SF Bay Area</DD>
+
+<A NAME="ihook"></A>
+<P><DT><STRONG>I...</STRONG></DT>
+
+<DT><A HREF="http://www.IdeaCafe.com/">Idea Cafe</A></DT>
+ <DD>The Small Business Gathering Place...</DD>
+
+<DT><A HREF="http://www.io.com">Illuminati Online</A></DT>
+ <DD>The online services division of Steve Jackson Games</DD>
+
+<DT><A HREF="http://www.indra.com/">Indra's Net, Inc </A></DT>
+ <DD>An Internet access and Web presence provider based in Boulder,Colorado</DD>
+
+<DT><A HREF="http://www.InfoStreet.com/">InfoStreet, Inc.</A></DT>
+ <DD>Commercial Web Weaving and Web Hosting Provider specializing in turn key solutions</DD>
+
+<DT><A HREF="http://www.infinityweb.com/">InfinityWeb Communications</A></DT>
+ <DD>Design and/or Hosting with offices in Honolulu, Tampa, and Tucson.</DD>
+
+<DT><A HREF="http://www.InstantWeb.com/">Instant Web Sites</A></DT>
+ <DD>Fill in a simple form and instantly get your own Web site.</DD>
+
+<DT><A HREF="http://www.mineral.tu-freiberg.de/">Institute of Mineralogy</A></DT>
+ <DD>Freiberg University of Mining and Technology (Germany)</DD>
+
+<DT><A HREF="http://www.inta.net/">IntaNET Communications</A></DT>
+ <DD>After testing several servers, IntaNET chose Apache for its versatility and reliability.</DD>
+
+<DT><A HREF="http://www.nfld.com/">InterActions</A></DT>
+ <DD>Internet Service Provider, Mount Pearl, NF, Canada</DD>
+
+<DT><A HREF="http://www.icsi.net/">Internet Connect Services, Inc.</A></DT>
+ <DD>ICSI's Primary WWW Server - Running 40+ Virtual Domains</DD>
+
+<DT><A HREF="http://www.netdoor.com/">Internet Doorway, Inc</A></DT>
+ <DD>Internet Service Provider in Jackson, Mississippi</DD>
+
+<DT><A HREF="http://www.webnet.com.au/">Internet Interface Systems</A></DT>
+ <DD>ISP in Melbourne, Australia</DD>
+
+<DT><A HREF="http://uk.imdb.com/">Internet Movie Database (UK)</A></DT>
+ <DD>The web's biggest and best movie resource.</DD>
+
+<DT><A HREF="http://us.imdb.com/">Internet Movie Database (US)</A></DT>
+ <DD>The web's biggest and best movie resource.</DD>
+
+<DT><A HREF="http://www.spies.com/">The Internet Wiretap</A></DT>
+ <DD><A HREF="http://wiretap.spies.com">Electronic texts</A> and personal publishing.</DD>
+
+<DT><A HREF="http://www.interpac.net/">Inter-Pacific Networks</A></DT>
+ <DD>Big Island of Hawaii Premire Internet Service Provider</DD>
+
+<DT><A HREF="http://www.is.kiruna.se/">Information Society, Kiruna, Sweden</A></DT>
+<DD>Information should be free (and powered by Apache)</DD>
+
+<A NAME="jhook"></A>
+<P><DT><STRONG>J...</STRONG></DT>
+
+<DT><A HREF="http://www.ju.edu/">Jacksonville University</A></DT>
+ <DD>Making changes in College Education!</DD>
+
+<DT><A HREF="http://www.sjis.com">South Jersey Internet Services</A></DT>
+ <DD>Webmaster/Web Service Providers. We love Apache!</DD>
+
+<A NAME="khook"></A>
+<P><DT><STRONG>K...</STRONG></DT>
+
+<DT><A HREF="http://www.kemmunet.net.mt/">Kemmunet Ltd</A></DT>
+ <DD>Kemmunet is an Internet Service Provider in the island.</DD>
+
+<DT> <A HREF="http://www.dbnet.ece.ntua.gr"> Knowledge and Data Base Systems Laboratory </A></DT>
+ <DD> based at the National Technical University of Athens, GREECE </DD>
+
+<A NAME="lhook"></A>
+<P><DT><STRONG>L...</STRONG></DT>
+
+<DT><A HREF="http://www.lansoft.com/">LANsoft U.S.A.</A></DT>
+ <DD>Commercial Email To Internet Provider</DD>
+
+<DT><A HREF="http://www.lls.se/">Lightning Line Service</A></DT>
+ <DD>Swedish Internet provider & WWW hotel located in Gothenburg</DD>
+
+<DT><A HREF="http://www.links.net/">Links from the Underground</A></DT>
+ <DD>A collection of writings and pointers from net.superstar Justin Hall</DD>
+
+<DT><A HREF="http://www.littleblue.com">Little Blue Productions</A></DT>
+ <DD>Web space provider in Kansas City, powered by Apache on Silcon Graphics.</DD>
+
+<DT><A HREF="http://xxx.lanl.gov/">XXX e-print archives at Los Alamos National Lab</A></DT>
+ <DD>Repository for electronic publishing in the fields of physics, math and more.</DD>
+
+<DT><A HREF="http://www.louisville.edu/">The University of Louisville</A></DT>
+ <DD>Univ. of Lou. Louisville, KY. Main WWW server.</DD>
+
+<DT><A HREF="http://www.lth.se/">Lund Institute of Technology</A></DT>
+ <DD>The technical faculty at Lund University in the south of Sweden</DD>
+
+<A NAME="mhook"></A>
+<P><DT><STRONG>M...</STRONG></DT>
+
+<DT><A HREF="http://www.madcap.com/">MadCap</A><DT>
+ <DD>A San Francisco Geek Arcology/Consulting Group</DD>
+
+<DT><A HREF="http://www.magpage.com/">The Magnetic Page</A></DT>
+ <DD>An internet service provider for Delaware, Maryland, and Pennsylvania.</DD>
+
+<DT><A HREF="http://WWW.Zmall.Com/">Mall of Cyberspace</A></DT>
+ <DD>Your Storefront on the Information Superhighway</DD>
+
+<DT><A HREF="http://www.mediabridge.com">Mediabridge Infosystems</A></DT>
+ <DD>Custom Web and other Internet servers</DD>
+
+<DT><A HREF="http://www.metwest.com/">Metwest.com</A></DT>
+ <DD>Commercial low cost web services Serving Metro-West/Boston.</DD>
+
+<DT><A HREF="http://www.ml.ee/">Microlink</A></DT>
+ <DD>Microlink computer manufacturer</DD>
+
+<DT><A HREF="http://www.mwci.net/">Midwest Communications Inc.</A></DT>
+ <DD>Nationwide Internet and Web Service Provider</DD>
+
+<DT><A HREF="http://www.state.net/">Minnesota OnLine</A></DT>
+ <DD>Minnesota's Premier Access Provider</DD>
+
+<DT><A HREF="http://www.msstate.edu/">Mississippi State University</A></DT>
+ <DD>US mirror of the Internet Movie Database and Fineart Forum online</DD>
+
+<DT><A HREF="http://www.modcomp.com/">MODCOMP</A></DT>
+ <DD>A vendor of realtime low-latency computer systems</DD>
+
+<DT><A HREF="http://jamcha.witness.com/">More Email BBS</A><DT>
+
+<DT><A HREF="http://www.musicblvd.com/">Music Boulevard</A></DT>
+ <DD>Music CDs, samples, magazines, and more</DD>
+
+<A NAME="nhook"></A>
+<P><DT><STRONG>N...</STRONG></DT>
+
+<DT><A HREF="http://www.netaxis.com/">NETAXIS</A></DT>
+ <DD>Your On-line Marketing and Communications Resource</DD>
+
+<DT><A HREF="http://Nettvik.no/">Nettvik</A></DT>
+ <DD>Norway's fastest growing town.</DD>
+
+<DT><A HREF="http://www.netway.it/">Netway Italia S.r.l.</A></DT>
+ <DD>Full Internet Service Provider, Naples, Italy</DD>
+
+<DT><A HREF="http://www.gatewy.net/"> New Orleans Gateway</A></DT>
+ <DD>New Orleans most affordable Full Internet Service. Come visit us.</DD>
+
+<DT><A HREF="http://www.next.com.au">Next Online</A></DT>
+ <DD>Internet Presence Provider, Sydney, Australia</DD>
+
+<DT><A HREF="http://www.northsea.com/">North Sea, Ltd.</A></DT>
+ <DD>Internet-Based Health Care Analyis and Provider Management Systems.</DD>
+
+<DT><A HREF="http://marg.ntu.ac.uk/">Nottingham Trent University,Department of Manufacturing Engineering</A></DT>
+ <DD>Web server run by the Manufacturing Automation Research Group</DD>
+
+<DT><A HREF="http://nps.venture-web.or.jp">NPS Inc.</A></DT>
+ <DD>A Japanese trading company with anb internet twist.</DD>
+
+<DT><A HREF="http://www.cas.unt.edu/">The University of North Texas College of A
+rts and Sciences</A></DT>
+ <DD>Running under FreeBSD v2.x since apache_0.6.5.</DD>
+
+<DT><A HREF="http://www.nucleus.com/">Nucleus Inc.</A></DT>
+ <DD>Specializing in Web Advertising. Internet Provider for the Calgary Area</DD>
+
+<DT><A HREF="http://www.nueva.pvt.k12.ca.us/">The Nueva School</A></DT>
+ <DD>An independent K-8 school in Hillsborough, California.</DD>
+
+<A NAME="ohook"></A>
+<P><DT><STRONG>O...</STRONG></DT>
+
+<DT><A HREF="http://oasi.shiny.it/">OASI Association - Asti, Italy</A></DT>
+ <DD>The one and only I.T. power group in our town. Linux + little RAM = Apache :)</DD>
+
+<DT><A HREF="http://www.omnes.net/">Omnes</A></DT>
+ <DD>Omnes - global communications solutions</DD>
+
+<DT><A HREF="http://www.opencad.com/">OpenCAD International, Inc.</A></DT>
+ <DD>Web Prescence Providers in Santa Monica, California</DD>
+
+<DT><A HREF="http://www.organic.com/">Organic Online</A></DT>
+ <DD>Web Site Developers/Networked Hypermedia Designers</DD>
+
+<DT><A HREF="http://www.lib.ox.ac.uk/">Oxford University Libraries Automation Service</A></DT>
+ <DD>Running Apache under FreeBSD</DD>
+
+<A NAME="phook"></A>
+<P><DT><STRONG>P...</STRONG></DT>
+
+<DT><A HREF="http://www.pacinfo.com/">PacInfo</A></DT>
+ <DD>Internet Service Provider in Eugene, Oregon</DD>
+
+<DT><A HREF="http://www.pasadena.net/">Network Pasadena</A></DT>
+ <DD>Wide area network services, domestic and international.</DD>
+
+<DT><A HREF="http://www.passageway.com/">Passageway Communications</A></DT>
+ <DD>Calgary's Presence Provider</DD>
+
+<DT><A HREF="http://www.pair.com/">pair Networks</A></DT>
+ <DD>Web presence provider</DD>
+
+<DT><A HREF="http://www.pcug.co.uk/">PC User Group (UK)</A></DT>
+ <DD>The PC Users' Group in the UK</DD>
+
+<DT><A HREF="http://www.Phoenix.Volant.ORG">Phoenix Volant</A></DT>
+ <DD>A consulting service/personal site/webspace provider.</DD>
+
+<DT><A HREF="http://www.pindar.co.uk">Pindar plc</A></DT>
+ <DD>Printing company based in York, UK.</DD>
+
+<DT><A HREF="http://planet-hawaii.com/">Planet Hawaii</A></DT>
+ <DD>Hawaii's web site for travel, culture, business, and shopping information</DD>
+
+<DT><A HREF="http://pleasure.com/">Pleasure Unlimited</A></DT>
+ <DD>Your run of the mill adult site</DD>
+
+<DT><A HREF="http://www.programmers.net/">Programmer's WEB</A></DT>
+ <DD>The first italian WEB for developers</DD>
+
+<DT><A HREF="http://www.glue.umd.edu/">Project Glue</A></DT>
+ <DD>University of Maryland at College Park</DD>
+
+<A NAME="qhook"></A>
+<P><DT><STRONG>Q...</STRONG></DT>
+
+<DT><A HREF="http://www.quake.net/">QuakeNet Internet Services</A></DT>
+ <DD>We use Apache and CyberCash to make Internet Commerce a reality.</DD>
+
+<A NAME="rhook"></A>
+<P><DT><STRONG>R...</STRONG></DT>
+
+<DT><A HREF="http://www.ravens-nest.com/">The Raven's Nest</A></DT>
+ <DD>Design & develop corporate internet strategies and solutions</DD>
+
+<DT><A HREF="http://www.module.vympel.msk.ru/">Research Centre "Module"</A></DT>
+ <DD>Internet Service Provider in Moscow, Russia. Apache Project HTTP-mirror.</DD>
+
+<DT><A HREF="http://www.rsp.com.au/">Rising Sun Pictures</A></DT>
+ <DD>3D Animation and Visual Effects for Film and Television</DD>
+
+<DT><A HREF="http://inet-unx.unisys.nl/robegids/html/US/home.htm">The Robé Directory</A></DT>
+ <DD>The on-line database containing more than 110,000 companies in The Netherlands</DD>
+
+<A NAME="shook"></A>
+<P><DT><STRONG>S...</STRONG></DT>
+
+<DT><A HREF="http://sapo.ua.pt/">SAPO - Servidor de Apontadores Portugueses</A></DT>
+ <DD>Exhaustive list of Pointers to Portuguese Servers</DD>
+
+<DT><A HREF="http://www.pbm.com/">Shadow Island Games</A></DT>
+ <DD>A play-by-net gaming company</DD>
+
+<DT><A HREF="http://www.siam.net/">SiamGuide to Thailand</A></DT>
+ <DD>Commercial Web Development service in Thailand :-)</DD>
+
+<DT><A HREF="http://www.sierraclub.org/">Sierra Club</A></DT>
+ <DD>A non-profit organization promoting conservation of the environment</DD>
+
+<DT><A HREF="http://www.skynet.ie/">Skynet</A></DT>
+ <DD>The University of Limerick Comp. Soc., appreciating Apache's performance</DD>
+
+<DT><A HREF="http://soilcrop.tamu.edu">Soil & Crop Sciences, TAMU</A></DT>
+ <DD>The departmental WWW server of Soil & Crop Sciences dept. at Texas A&M</DD>
+
+<DT><A HREF="http://www.sonoma.net/">Sonoma.Net</A></DT>
+ <DD>An ISP hosting a growing list of different Websites...</DD>
+
+<DT><A HREF="http://www.stel.com">Stanford Telecommunications Inc.,</A></DT>
+ <DD>Bringing you the world of communications through wireless and Web services.</DD>
+
+<DT><A HREF="http://www.Stardot.com/">Stardot Consulting</A></DT>
+ <DD>Political resources and consulting on the Web</DD>
+
+<DT><A HREF="http://www.stonesworld.com/">Stones World</A></DT>
+ <DD>Tour info, sound samples, audio/video streams, and happenings<DD>
+
+<DT><A HREF="http://www.dis.strath.ac.uk/">Information Science at Strathclyde University</A></DT>
+ <DD>A surprisingly busy little site in Scotland.</DD>
+
+<DT><A HREF="http://www.suck.com/">Suck</A></DT>
+ <DD>Hindenburg. Titanic. Edsel. Suck.</DD>
+
+<DT><A HREF="http://www.ee.ethz.ch/">Department of Electrical Engineering, Swiss Federal Institute of Technology Zurich</A></DT>
+ <DD>Only the best is good enough ...</DD>
+
+<DT><A HREF="http://www.sjs.com/">sjs.com</A></DT>
+ <DD>Systems & Network Consultant in Central Massachusetts</DD>
+
+<DT><A HREF="http://www.skl.com/">Systems Knowledge Link</A></DT>
+ <DD>A full service Internet Provider in West Hill, Ontario :-)</DD>
+
+<A NAME="thook"></A>
+<P><DT><STRONG>T...</STRONG></DT>
+
+<DT><A HREF="http://www.tbi.net/">Tampa Bay Interactive</A></DT>
+ <DD>Quality Counts!</DD>
+
+<DT><A HREF="http://www.ton.tut.fi/"></A></DT>
+ <DD>Tampere District Student Housing Foundation (TOAS)</DD>
+
+<DT><A HREF="http://www.targed.org.uk">TARGED North West Wales Training & Enterprise Council Ltd</A></DT>
+ <DD>Linux based Apache server.</DD>
+
+<DT><A HREF="http://www.tecnet.com/">TECNET</A></DT>
+ <DD>The Worldwide Classifieds for New and Used Hi-Tech Equipment</DD>
+
+<DT><A HREF="http://www.teksouth.com/">Teksouth Corporation</A></DT>
+ <DD>Network printing products and high-tech personnel services.</DD>
+
+<DT><A HREF="http://www.telebase.com/">Telebase Systems</A></DT>
+ <DD>Information providers to the world</DD>
+
+<DT><A HREF="http://www.tembel.org/">Tembel's Hedonic Commune</A></DT>
+ <DD>Tembel's Hedonic Commune external server (also used internally).</DD>
+
+<DT><A HREF="http://stimpy.music.ua.edu/">TEMPUS - The University of Alabama Sch
+ool of Music</A></DT>
+ <DD>Perhaps the oldest web server in the state of Alabama</DD>
+
+<DT><A HREF="http://www.terraware.net/">TerraWare Systems</A></DT>
+ <DD>Making software that is biodegradable and containing no Phosphates!</DD>
+
+<DT><A HREF="http://www.metronet.com/">Texas Metronet</A></DT>
+ <DD>Internet Service Provider for Dallas/Fort Worth</DD>
+
+<DT><A HREF="http://trex.org">Trex, The place to visit</A></DT>
+ <DD>a Full Service BBS and much more. Runs on a Solbourn 5e/602</DD>
+
+<DT><A HREF="http://troubador.com/">Troubador Systems Web Sites and Business Packages</A></DT>
+ <DD>Personalized Service!!! for real... :-)</DD>
+
+<DT><A HREF="http://www.uniserve.com/">TVS-UNIServe</A></DT>
+ <DD>ISP and Web site developer for Vancouver</DD>
+
+<A NAME="uhook"></A>
+<P><DT><STRONG>U...</STRONG></DT>
+
+<DT><A HREF="http://xweb.com">Universal Algorithms, Inc.</A></DT>
+ <DD>CollegeNET, Precision Guides, Schedule25, Equinet</DD>
+
+<DT><A HREF="http://wwwedms.redstone.army.mil">US Army JEDMICS EDMS Program Office</A></DT>
+ <DD>Engineering Data Management Systems, Redstone Arsenal, Alabama</DD>
+
+<DT><A HREF="http://www.uu.net">UUNET/AlterNet technologies</A></DT>
+ <DD>Internet Service Provider</DD>
+
+<A NAME="vhook"></A>
+<P><DT><STRONG>V...</STRONG></DT>
+
+<DT><A HREF="http://www.vicksburg.com/">Vicksburg Online</A></DT>
+ <DD>Vicksburg, MS. Internet Service Provider</DD>
+
+<DT><A HREF="http://iuinfo.tuwien.ac.at/">Univ. of Technology Vienna, Dept's Support</A></DT>
+ <DD>IU Info Service, Campus Software Service, Goodie Domain Service, Platform Support S.</DD>
+
+<DT><A HREF="http://www.v-site.net/">Virtual Sites</A></DT>
+ <DD>A sense of Place in Cyberspace </DD>
+
+<DT><A HREF="http://www.vrx.net/">VRx Network Services INC.</A></DT>
+ <DD>Internet Solutions Provider in Toronto, CANADA</DD>
+
+<A NAME="whook"></A>
+<P><DT><STRONG>W...</STRONG></DT>
+
+<DT><A HREF="http://www.law.washington.edu/">The University of Washington School of Law</A></DT>
+ <DD>Linux-based Apache server since 0.6.2...</DD>
+
+<DT><A HREF="http://www.wadesign.co.uk/">WebArt Design</A></DT>
+ <DD>Providing Internet and Web solutions to business. Located in the UK</DD>
+
+<DT><A HREF="http://www.webpub.com/">Web Publishers</A></DT>
+ <DD>A Commercial Web Service Provider specializing in high-end clients.</DD>
+
+<DT><A HREF="http://websmith.ca/">The WebSmith Group</A></DT>
+ <DD>Web site hosting and authoring, located in Ottawa, Ontario</DD>
+
+<DT><A HREF="http://www.win-uk.net/">WinNET Communications Ltd</A></DT>
+ <DD>Internet Provider in the UK</DD>
+
+<DT><A HREF="http://wwns.com/wwns/">World Wide Network Services</A><DT>
+ <DD>An Internet Presence Provider. "Creating Your Image For The World" </DD>
+
+<A NAME="xhook"></A>
+<P><DT><STRONG>X...</STRONG></DT>
+<DT><A HREF="http://www.xensei.com/">Xensei</A></DT>
+ <DD>The Xensei Corp. Webmasters/ISP who love Apache.</DD>
+
+<A NAME="yhook"></A>
+
+<A NAME="zhook"></A>
+<P><DT><STRONG>Z...</STRONG></DT>
+
+<DT><A HREF="http://www.zycad.com/">Zycad</A></DT>
+ <DD>Suppliers of EDA acceleration products</DD>
+
+<DT><A HREF="http://www.zyzzyva.com/">Zyzzyva Enterprises</A></DT>
+ <DD>Commercial Web Development Services</DD>
+
+</DL>
+
+
+<HR><P>
+<STRONG>
+<A HREF="#ahook">A</A> | <A HREF="#bhook">B</A> | <A HREF="#chook">C</A> | <A HREF="#dhook">D</A> | <A HREF="#ehook">E</A> | <A HREF="#fhook">F</A> | <A HREF="#ghook">G</A> | <A HREF="#hhook">H</A> | <A HREF="#ihook">I</A> | <A HREF="#jhook">J</A> | <A HREF="#khook">K</A> | <A HREF="#lhook">L</A> | <A HREF="#mhook">M</A> | <A HREF="#nhook">N</A> | <A HREF="#ohook">O</A> | <A HREF="#phook">P</A> | <A HREF="#qhook">Q</A> | <A HREF="#rhook">R</A> | <A HREF="#shook">S</A> | <A HREF="#thook">T</A> | <A HREF="#uhook">U</A> | <A HREF="#vhook">V</A> | <A HREF="#whook">W</A> | <A HREF="#xhook">X</A> | <A HREF="#yhook">Y</A> | <A HREF="#zhook">Z</A>
+</STRONG>
+<P><HR>
+
+<P>Send additions to <A HREF="mailto:running-apache@zyzzyva.com">running-apache@zyzzyva.com</A>,
+in the form of HTML <DT> and <DD> entries, e.g.
+
+<PRE>
+<DT><A HREF="http://www.apache.org/">The Apache Project</A></DT>
+ <DD>The developers trust it :-)</DD>
+</PRE>
+
+<P>Any description over 80 characters will be truncated.</P>
+
+<P>See <A HREF="http://www.netcraft.com/Survey">http://www.netcraft.com/Survey</A> for Netcraft's survey of Apache (and other servers) usage.</P>
+
+<HR>
+<P><STRONG>Disclaimer</STRONG>: just because these sites run Apache, doesn't
+imply they offer good services, or that the Apache Project associates
+themsleves with the companies/organizations we list.</P>
+
+<HR>
+
+<P>Help spread the word... feel free to use the "Powered by Apache" logo (below) on your pages.</P>
+
+<P ALIGN="CENTER"><A HREF="../images/apache_pb.gif"><IMG BORDER=0
+SRC="../images/apache_pb.gif" ALT="Powered by Apache" WIDTH="259" HEIGHT="32"></A>
+</P>
+
+<HR>
+
+<P ALIGN="CENTER">
+<A HREF="/"><IMG SRC="../images/apache_home.gif" ALT="Home"></A>
+</P>
+
+
+</BODY>
+</HTML>
Added: websites/staging/httpd/trunk/content/info/css-security/apache_1.3.11_css_patch.txt
==============================================================================
--- websites/staging/httpd/trunk/content/info/css-security/apache_1.3.11_css_patch.txt (added)
+++ websites/staging/httpd/trunk/content/info/css-security/apache_1.3.11_css_patch.txt Sun May 6 14:18:02 2012
@@ -0,0 +1,581 @@
+This patch is against Apache 1.3.11. It may be updated as the situation
+warrants.
+
+Last updated: Wed Feb 2 01:09:23 MST 2000
+
+Index: htdocs/manual/mod/core.html
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/htdocs/manual/mod/core.html,v
+retrieving revision 1.162
+diff -u -r1.162 core.html
+--- core.html 2000/01/18 19:32:49 1.162
++++ core.html 2000/02/02 07:59:17
+@@ -23,6 +23,8 @@
+ <UL>
+ <LI><A HREF="#accessconfig">AccessConfig</A>
+ <LI><A HREF="#accessfilename">AccessFileName</A>
++<LI><A HREF="#adddefaultcharset">AddDefaultCharset</A>
++<LI><A HREF="#adddefaultcharsetname">AddDefaultCharsetName</A>
+ <LI><A HREF="#addmodule">AddModule</A>
+ <LI><A HREF="#allowoverride">AllowOverride</A>
+ <LI><A HREF="#authname">AuthName</A>
+@@ -162,6 +164,42 @@
+ <Directory /><BR>
+ AllowOverride None<BR>
+ </Directory></CODE></BLOCKQUOTE><P><HR>
++
++<H2><A NAME="adddefaultcharset">AddDefaultCharset directive</A></H2>
++<A HREF="directive-dict.html#Syntax" REL="Help"><STRONG>Syntax:</STRONG></A>
++AddDefaultCharset <EM>on / off</EM><BR>
++<A HREF="directive-dict.html#Context" REL="Help" ><STRONG>Context:</STRONG></A>
++all<BR>
++<A HREF="directive-dict.html#Status" REL="Help" ><STRONG>Status:</STRONG></A>
++core<BR>
++<A HREF="directive-dict.html#Default" REL="Help"><STRONG>Default:</STRONG></A>
++<CODE>AddDefaultCharset off</CODE><BR>
++<A HREF="directive-dict.html#Compatibility" REL="Help"><STRONG>Compatibility:
++</STRONG></A> AddDefaultCharset is only available in Apache 1.3.12 and later<P>
++If enabled, any response that does not have any parameter on the content
++type in the HTTP headers will have a charset parameter added specifying
++the character set the client should use for the document. This will
++override any character set specified in the body of the document via a
++<CODE>META</CODE> tag. The character set added is specified by the
++<CODE>AddDefaultCharsetName</CODE> directive.
++<P><HR>
++
++<H2><A NAME="adddefaultcharsetname">AddDefaultCharsetName directive</A></H2>
++<A HREF="directive-dict.html#Syntax" REL="Help"><STRONG>Syntax:</STRONG></A>
++AddDefaultCharsetName <EM>charset</EM><BR>
++<A HREF="directive-dict.html#Context" REL="Help" ><STRONG>Context:</STRONG></A>
++all<BR>
++<A HREF="directive-dict.html#Status" REL="Help" ><STRONG>Status:</STRONG></A>
++core<BR>
++<A HREF="directive-dict.html#Default" REL="Help"><STRONG>Default:</STRONG></A>
++<CODE>AddDefaultCharsetName iso-8859-1</CODE><BR>
++<A HREF="directive-dict.html#Compatibility" REL="Help"><STRONG>Compatibility:
++</STRONG></A> AddDefaultCharsetName is only available in Apache 1.3.12 and
++later<P>
++This directive specifies the name of the character set that will be added
++if the <A HREF="#adddefaultcharset">AddDefaultCharset</A> directive is
++enabled.
++<P><HR>
+
+ <H2><A NAME="addmodule">AddModule directive</A></H2>
+ <!--%plaintext <?INDEX {\tt AddModule} directive> -->
+Index: htdocs/manual/mod/directives.html
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/htdocs/manual/mod/directives.html,v
+retrieving revision 1.60
+diff -u -r1.60 directives.html
+--- directives.html 1999/12/19 16:34:32 1.60
++++ directives.html 2000/02/02 08:09:07
+@@ -30,6 +30,9 @@
+ <LI><A HREF="mod_autoindex.html#addalt">AddAlt</A>
+ <LI><A HREF="mod_autoindex.html#addaltbyencoding">AddAltByEncoding</A>
+ <LI><A HREF="mod_autoindex.html#addaltbytype">AddAltByType</A>
++<LI><A HREF="mod_mime.html#addcharset">AddCharset</A>
++<LI><A HREF="core.html#adddefaultcharset">AddDefaultCharset</A>
++<LI><A HREF="core.html#adddefaultcharsetname">AddDefaultCharsetName</A>
+ <LI><A HREF="mod_autoindex.html#adddescription">AddDescription</A>
+ <LI><A HREF="mod_mime.html#addencoding">AddEncoding</A>
+ <LI><A HREF="mod_mime.html#addhandler">AddHandler</A>
+Index: htdocs/manual/mod/mod_include.html
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/htdocs/manual/mod/mod_include.html,v
+retrieving revision 1.23
+diff -u -r1.23 mod_include.html
+--- mod_include.html 1998/09/17 12:06:40 1.23
++++ mod_include.html 2000/02/02 07:59:18
+@@ -89,15 +89,34 @@
+ routine when printing dates.
+ </DL>
+
++<A NAME="echo">
+ <DT><STRONG>echo</STRONG>
+ <DD>
+ This command prints one of the include variables, defined below.
+ If the variable is unset, it is printed as <CODE>(none)</CODE>.
+ Any dates printed are subject to the currently configured <CODE>timefmt</CODE>.
++
+ Attributes:
+ <DL>
+ <DT>var
+ <DD>The value is the name of the variable to print.
++<DT>encoding
++<DD>Specifies how Apache should encode special characters contained
++in the variable before outputting them. If set to "none", no encoding
++will be done. If set to "url", then URL encoding (also known as
++%-encoding; this is appropriate for use within URLs in links, etc.)
++will be performed. At the start of an <CODE>echo</CODE> element,
++the default is set to "entity", resulting in entity encoding (which
++is appropriate in the context of a block-level HTML element, eg.
++a paragraph of text). This can be changed by adding an
++<CODE>encoding</CODE> attribute, which will remain in effect until
++the next <CODE>encoding</CODE> attribute is encountered or the
++element ends, whichever comes first. Note that only special
++characters as defined in the ISO-8859-1 character encoding will be
++encoded. This encoding process may not have the desired result if
++a different character encoding is in use. Apache 1.3.12 and above; previous
++versions do no encoding.
++
+ </DL>
+
+ <DT><STRONG>exec</STRONG>
+@@ -181,7 +200,9 @@
+
+ <DT><STRONG>printenv</STRONG>
+ <DD>This prints out a listing of all existing variables and their values.
+- No attributes.
++ Starting with Apache 1.3.12, special characters are entity encoded (see the
++ <A HREF="#echo"><CODE>echo</CODE></A> element for details) before being
++ output. No attributes.
+ <DD>For example: <CODE><!--#printenv --></CODE>
+ <DD>Apache 1.2 and above.
+
+Index: src/CHANGES
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/src/CHANGES,v
+retrieving revision 1.1502
+diff -u -r1.1502 CHANGES
+--- CHANGES 2000/01/18 17:12:13 1.1502
++++ CHANGES 2000/02/02 08:09:11
+@@ -1,3 +1,31 @@
++Changes with Apache 1.3.12
++
++ *) Add an explicit charset=iso-8859-1 to pages generated by
++ ap_send_error_response(), such as the default 404 page.
++ [Marc Slemko]
++
++ *) Add the AddDefaultCharset and AddDefaultCharsetName directives.
++ These allow you to tell Apache to specify the given character
++ set on any document that does not have one explicitly specified in
++ the headers. [Marc Slemko]
++
++ *) Properly escape various messages output to the client from a number
++ of modules and places in the core code. [Marc Slemko]
++
++ *) Change mod_actions, mod_autoindex, mod_expires, and mod_log_config to
++ not consider any parameters such as charset when making decisions
++ based on content type. This does remove some functionality for
++ some users, but means that when these modules are configured to do
++ particular things with particular MIME types, the charset should
++ not be included. A better way of addressing this for users who
++ want to set things on a per charset basis is necessary in the future.
++ [Marc Slemko]
++
++ *) mod_include now entity encodes output from "printenv" and "echo var"
++ by default. The encoding for "echo var" can be set to URL encoding
++ or no encoding using the new "encoding" attribute to the echo tag.
++ [Marc Slemko]
++
+ Changes with Apache 1.3.11
+
+ *) MPE builds are no longer stripped, which caused the executable
+Index: src/include/http_core.h
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/src/include/http_core.h,v
+retrieving revision 1.59
+diff -u -r1.59 http_core.h
+--- http_core.h 1999/06/28 22:38:25 1.59
++++ http_core.h 2000/02/02 07:59:24
+@@ -243,6 +243,15 @@
+ */
+ unsigned d_is_fnmatch : 1;
+
++ /* should we force a charset on any outgoing parameterless content-type?
++ * if so, which charset?
++ */
++#define ADD_DEFAULT_CHARSET_OFF (0)
++#define ADD_DEFAULT_CHARSET_ON (1)
++#define ADD_DEFAULT_CHARSET_UNSET (2)
++ unsigned add_default_charset : 2;
++ char *add_default_charset_name;
++
+ /* System Resource Control */
+ #ifdef RLIMIT_CPU
+ struct rlimit *limit_cpu;
+Index: src/include/httpd.h
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/src/include/httpd.h,v
+retrieving revision 1.303
+diff -u -r1.303 httpd.h
+--- httpd.h 2000/01/30 19:46:11 1.303
++++ httpd.h 2000/02/02 07:59:24
+@@ -409,6 +409,12 @@
+ #endif /* default limit on number of request header fields */
+
+ /*
++ * The default default character set name to add if AddDefaultCharset is
++ * enabled. Overridden with AddDefaultCharsetName.
++ */
++#define DEFAULT_ADD_DEFAULT_CHARSET_NAME "iso-8859-1"
++
++/*
+ * The below defines the base string of the Server: header. Additional
+ * tokens can be added via the ap_add_version_component() API call.
+ *
+Index: src/main/http_core.c
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/src/main/http_core.c,v
+retrieving revision 1.277
+diff -u -r1.277 http_core.c
+--- http_core.c 2000/01/11 14:13:40 1.277
++++ http_core.c 2000/02/02 07:59:25
+@@ -154,6 +154,9 @@
+
+ conf->server_signature = srv_sig_unset;
+
++ conf->add_default_charset = ADD_DEFAULT_CHARSET_UNSET;
++ conf->add_default_charset_name = DEFAULT_ADD_DEFAULT_CHARSET_NAME;
++
+ return (void *)conf;
+ }
+
+@@ -281,6 +284,14 @@
+ conf->server_signature = new->server_signature;
+ }
+
++ if (new->add_default_charset != ADD_DEFAULT_CHARSET_UNSET) {
++ conf->add_default_charset = new->add_default_charset;
++ }
++
++ if (new->add_default_charset_name) {
++ conf->add_default_charset_name = new->add_default_charset_name;
++ }
++
+ return (void*)conf;
+ }
+
+@@ -1035,6 +1046,28 @@
+ }
+ #endif /*GPROF*/
+
++static const char *set_add_default_charset(cmd_parms *cmd,
++ core_dir_config *d, int arg)
++{
++ const char *err = ap_check_cmd_context(cmd, NOT_IN_LIMIT);
++ if (err != NULL) {
++ return err;
++ }
++ d->add_default_charset = arg != 0;
++ return NULL;
++}
++
++static const char *set_add_default_charset_name(cmd_parms *cmd,
++ core_dir_config *d, char *arg)
++{
++ const char *err = ap_check_cmd_context(cmd, NOT_IN_LIMIT);
++ if (err != NULL) {
++ return err;
++ }
++ d->add_default_charset_name = arg;
++ return NULL;
++}
++
+ static const char *set_document_root(cmd_parms *cmd, void *dummy, char *arg)
+ {
+ void *sconf = cmd->server->module_config;
+@@ -2786,6 +2819,10 @@
+ { "GprofDir", set_gprof_dir, NULL, RSRC_CONF, TAKE1,
+ "Directory to plop gmon.out files" },
+ #endif
++{ "AddDefaultCharset", set_add_default_charset, NULL, OR_FILEINFO, FLAG,
++ "whether or not to add a default charset to any Content-Type without one" },
++{ "AddDefaultCharsetName", set_add_default_charset_name, NULL, OR_FILEINFO,
++ TAKE1, "The name of the charset to add if AddDefaultCharset is enabled" },
+
+ /* Old resource config file commands */
+
+Index: src/main/http_log.c
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/src/main/http_log.c,v
+retrieving revision 1.82
+diff -u -r1.82 http_log.c
+--- http_log.c 2000/01/31 22:24:07 1.82
++++ http_log.c 2000/02/02 07:59:25
+@@ -487,7 +487,8 @@
+ if (((level & APLOG_LEVELMASK) <= APLOG_WARNING)
+ && (ap_table_get(r->notes, "error-notes") == NULL)) {
+ ap_table_setn(r->notes, "error-notes",
+- ap_pvsprintf(r->pool, fmt, args));
++ ap_escape_html(r->pool, ap_pvsprintf(r->pool, fmt,
++ args)));
+ }
+ va_end(args);
+ }
+Index: src/main/http_protocol.c
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/src/main/http_protocol.c,v
+retrieving revision 1.286
+diff -u -r1.286 http_protocol.c
+--- http_protocol.c 2000/01/11 14:13:41 1.286
++++ http_protocol.c 2000/02/02 07:59:28
+@@ -103,6 +103,35 @@
+
+ #endif /*CHARSET_EBCDIC*/
+
++/*
++ * Builds the content-type that should be sent to the client from the
++ * content-type specified. The following rules are followed:
++ * - if type is NULL, type is set to ap_default_type(r)
++ * - if charset adding is disabled, stop processing and return type.
++ * - then, if there are no parameters on type, add the default charset
++ * - return type
++ */
++static const char *make_content_type(request_rec *r, const char *type) {
++ const char *i;
++ core_dir_config *conf = (core_dir_config *)ap_get_module_config(
++ r->per_dir_config, &core_module);
++ if (!type) type = ap_default_type(r);
++ if (conf->add_default_charset != ADD_DEFAULT_CHARSET_ON) return type;
++
++ i = type;
++ while (*i && *i != ';') i++;
++ if (*i && *i == ';') {
++ /* already has parameter, do nothing */
++ /* XXX should check for actual charset=, but then we need real
++ * parsing code
++ */
++ } else {
++ type = ap_pstrcat(r->pool, type, "; charset=",
++ conf->add_default_charset_name, NULL);
++ }
++ return type;
++}
++
+ static int parse_byterange(char *range, long clength, long *start, long *end)
+ {
+ char *dash = strchr(range, '-');
+@@ -265,7 +294,7 @@
+ }
+
+ if (r->byterange > 1) {
+- const char *ct = r->content_type ? r->content_type : ap_default_type(r);
++ const char *ct = make_content_type(r, r->content_type);
+ char ts[MAX_STRING_LEN];
+
+ ap_snprintf(ts, sizeof(ts), "%ld-%ld/%ld", range_start, range_end,
+@@ -1636,10 +1665,8 @@
+ ap_table_setn(r->headers_out, "Content-Type",
+ ap_pstrcat(r->pool, "multipart", use_range_x(r) ? "/x-" : "/",
+ "byteranges; boundary=", r->boundary, NULL));
+- else if (r->content_type)
+- ap_table_setn(r->headers_out, "Content-Type", r->content_type);
+- else
+- ap_table_setn(r->headers_out, "Content-Type", ap_default_type(r));
++ else ap_table_setn(r->headers_out, "Content-Type", make_content_type(r,
++ r->content_type));
+
+ if (r->content_encoding)
+ ap_table_setn(r->headers_out, "Content-Encoding", r->content_encoding);
+@@ -2550,7 +2577,7 @@
+ r->content_languages = NULL;
+ r->content_encoding = NULL;
+ r->clength = 0;
+- r->content_type = "text/html";
++ r->content_type = "text/html; charset=iso-8859-1";
+
+ if ((status == METHOD_NOT_ALLOWED) || (status == NOT_IMPLEMENTED))
+ ap_table_setn(r->headers_out, "Allow", make_allow(r));
+Index: src/main/util.c
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/src/main/util.c,v
+retrieving revision 1.176
+diff -u -r1.176 util.c
+--- util.c 2000/01/12 20:57:48 1.176
++++ util.c 2000/02/02 07:59:29
+@@ -127,6 +127,8 @@
+ {
+ const char *semi;
+
++ if (intype == NULL) return NULL;
++
+ semi = strchr(intype, ';');
+ if (semi == NULL) {
+ return ap_pstrdup(p, intype);
+Index: src/modules/proxy/proxy_util.c
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/src/modules/proxy/proxy_util.c,v
+retrieving revision 1.83
+diff -u -r1.83 proxy_util.c
+--- proxy_util.c 2000/01/11 14:13:47 1.83
++++ proxy_util.c 2000/02/02 07:59:29
+@@ -844,9 +844,12 @@
+ ap_table_setn(r->notes, "error-notes",
+ ap_pstrcat(r->pool,
+ "The proxy server could not handle the request "
+- "<EM><A HREF=\"", r->uri, "\">",
+- r->method, " ", r->uri, "</A></EM>.<P>\n"
+- "Reason: <STRONG>", message, "</STRONG>", NULL));
++ "<EM><A HREF=\"", ap_escape_uri(r->pool, r->uri),
++ "\">", r->method, " ",
++ ap_escape_html(r->pool, r->uri), "</A></EM>.<P>\n"
++ "Reason: <STRONG>",
++ ap_escape_html(r->pool, message),
++ "</STRONG>", NULL));
+
+ /* Allow the "error-notes" string to be printed by ap_send_error_response() */
+ ap_table_setn(r->notes, "verbose-error-to", ap_pstrdup(r->pool, "*"));
+Index: src/modules/standard/mod_actions.c
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/src/modules/standard/mod_actions.c,v
+retrieving revision 1.33
+diff -u -r1.33 mod_actions.c
+--- mod_actions.c 2000/01/11 14:23:03 1.33
++++ mod_actions.c 2000/02/02 07:59:30
+@@ -195,7 +195,8 @@
+ {
+ action_dir_config *conf = (action_dir_config *)
+ ap_get_module_config(r->per_dir_config, &action_module);
+- const char *t, *action = r->handler ? r->handler : r->content_type;
++ const char *t, *action = r->handler ? r->handler :
++ ap_field_noparam(r->pool, r->content_type);
+ const char *script;
+ int i;
+
+Index: src/modules/standard/mod_autoindex.c
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/src/modules/standard/mod_autoindex.c,v
+retrieving revision 1.113
+diff -u -r1.113 mod_autoindex.c
+--- mod_autoindex.c 1999/12/31 05:35:52 1.113
++++ mod_autoindex.c 2000/02/02 07:59:30
+@@ -732,7 +732,7 @@
+
+ static char *find_item(request_rec *r, array_header *list, int path_only)
+ {
+- const char *content_type = r->content_type;
++ const char *content_type = ap_field_noparam(r->pool, r->content_type);
+ const char *content_encoding = r->content_encoding;
+ char *path = r->filename;
+
+Index: src/modules/standard/mod_expires.c
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/src/modules/standard/mod_expires.c,v
+retrieving revision 1.33
+diff -u -r1.33 mod_expires.c
+--- mod_expires.c 1999/10/21 20:45:26 1.33
++++ mod_expires.c 2000/02/02 07:59:30
+@@ -437,7 +437,8 @@
+ if (r->content_type == NULL)
+ code = NULL;
+ else
+- code = (char *) ap_table_get(conf->expiresbytype, r->content_type);
++ code = (char *) ap_table_get(conf->expiresbytype,
++ ap_field_noparam(r->pool, r->content_type));
+
+ if (code == NULL) {
+ /* no expires defined for that type, is there a default? */
+Index: src/modules/standard/mod_include.c
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/src/modules/standard/mod_include.c,v
+retrieving revision 1.121
+diff -u -r1.121 mod_include.c
+--- mod_include.c 1999/12/31 05:35:52 1.121
++++ mod_include.c 2000/02/02 07:59:30
+@@ -922,7 +922,10 @@
+ {
+ char tag[MAX_STRING_LEN];
+ char *tag_val;
++ enum {E_NONE, E_URL, E_ENTITY} encode;
+
++ encode = E_ENTITY;
++
+ while (1) {
+ if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
+ return 1;
+@@ -931,7 +934,15 @@
+ const char *val = ap_table_get(r->subprocess_env, tag_val);
+
+ if (val) {
+- ap_rputs(val, r);
++ if (encode == E_NONE) {
++ ap_rputs(val, r);
++ }
++ else if (encode == E_URL) {
++ ap_rputs(ap_escape_uri(r->pool, val), r);
++ }
++ else if (encode == E_ENTITY) {
++ ap_rputs(ap_escape_html(r->pool, val), r);
++ }
+ }
+ else {
+ ap_rputs("(none)", r);
+@@ -940,6 +951,19 @@
+ else if (!strcmp(tag, "done")) {
+ return 0;
+ }
++ else if (!strcmp(tag, "encoding")) {
++ if (!strcasecmp(tag_val, "none")) encode = E_NONE;
++ else if (!strcasecmp(tag_val, "url")) encode = E_URL;
++ else if (!strcasecmp(tag_val, "entity")) encode = E_ENTITY;
++ else {
++ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
++ "unknown value \"%s\" to parameter \"encoding\" of "
++ "tag echo in %s",
++ tag_val, r->filename);
++ ap_rputs(error, r);
++ }
++ }
++
+ else {
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
+ "unknown parameter \"%s\" to tag echo in %s",
+@@ -2116,7 +2140,8 @@
+ }
+ else if (!strcmp(tag, "done")) {
+ for (i = 0; i < arr->nelts; ++i) {
+- ap_rvputs(r, elts[i].key, "=", elts[i].val, "\n", NULL);
++ ap_rvputs(r, ap_escape_html(r->pool, elts[i].key), "=",
++ ap_escape_html(r->pool, elts[i].val), "\n", NULL);
+ }
+ return 0;
+ }
+Index: src/modules/standard/mod_log_config.c
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/src/modules/standard/mod_log_config.c,v
+retrieving revision 1.80
+diff -u -r1.80 mod_log_config.c
+--- mod_log_config.c 1999/12/15 23:04:22 1.80
++++ mod_log_config.c 2000/02/02 07:59:30
+@@ -391,7 +391,7 @@
+ {
+ const char *cp = ap_table_get(r->headers_out, a);
+ if (!strcasecmp(a, "Content-type") && r->content_type) {
+- cp = r->content_type;
++ cp = ap_field_noparam(r->pool, r->content_type);
+ }
+ if (cp) {
+ return cp;
+Index: src/modules/standard/mod_status.c
+===================================================================
+RCS file: /export/home/cvs/apache-1.3/src/modules/standard/mod_status.c,v
+retrieving revision 1.110
+diff -u -r1.110 mod_status.c
+--- mod_status.c 2000/01/12 15:55:02 1.110
++++ mod_status.c 2000/02/02 07:59:31
+@@ -597,9 +597,10 @@
+ format_byte_out(r, bytes);
+ ap_rputs(")\n", r);
+ ap_rprintf(r, " <i>%s {%s}</i> <b>[%s]</b><br>\n\n",
+- score_record.client,
++ ap_escape_html(r->pool, score_record.client),
+ ap_escape_html(r->pool, score_record.request),
+- vhost ? vhost->server_hostname : "(unavailable)");
++ vhost ? ap_escape_html(r->pool,
++ vhost->server_hostname) : "(unavailable)");
+ }
+ else { /* !no_table_report */
+ if (score_record.status == SERVER_DEAD)
+@@ -671,8 +672,9 @@
+ else
+ ap_rprintf(r,
+ "<td>%s<td nowrap>%s<td nowrap>%s</tr>\n\n",
+- score_record.client,
+- vhost ? vhost->server_hostname : "(unavailable)",
++ ap_escape_html(r->pool, score_record.client),
++ vhost ? ap_escape_html(r->pool,
++ vhost->server_hostname) : "(unavailable)",
+ ap_escape_html(r->pool, score_record.request));
+ } /* no_table_report */
+ } /* !short_report */
Added: websites/staging/httpd/trunk/content/info/css-security/apache_specific.html
==============================================================================
--- websites/staging/httpd/trunk/content/info/css-security/apache_specific.html (added)
+++ websites/staging/httpd/trunk/content/info/css-security/apache_specific.html Sun May 6 14:18:02 2012
@@ -0,0 +1,105 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+ <HEAD>
+ <TITLE>Cross Site Scripting Info: Apache Specific</TITLE>
+ </HEAD>
+
+ <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
+ <BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#000080"
+ ALINK="#FF0000">
+ <DIV ALIGN="CENTER">
+ <IMG SRC="../../images/apache_sub.gif" ALT="[APACHE DOCUMENTATION]">
+ </DIV>
+ <H1 ALIGN="CENTER">Cross Site Scripting Info: Apache Specific</H1>
+
+<H2>Introduction:</H2>
+
+<P>While reviewing the Apache code for any problems related to this
+problem, we have discovered a number of issues. Many of them are
+not bugs in Apache, but are places where Apache can do more to
+avoid being vulnerable to the Cross Site Scripting security problem.
+None of the changes fix any security holes in Apache itself that
+can compromise the server directly, but are focused towards its
+interaction with clients.
+
+<P>Included below is a summary of the current known issues and
+fixes, where available. This information will be expanded on as
+information becomes available and time permits.
+
+<H2>Issues outstanding:</H2>
+<UL>
+
+<LI>Older versions of the <CODE>printenv</CODE> CGI script distributed with
+Apache did not properly encode their output. If you have one of these on
+your system, and this issue impacts your site, you should disable the CGI.
+
+<LI>Current versions of <CODE>printenv</CODE> and <CODE>test-cgi</CODE>
+send content with a MIME type of text/plain, meaning that no encoding
+is required or possible. This was changed effective in Apache
+1.3.11 to fix the problem of <CODE>printenv</CODE> not properly
+encoding its output. Unfortunately, Microsoft Internet Explorer
+does not respect that MIME type, and incorrectly processes the
+output as HTML that is what it guesses it to be. This security
+problem has been reported to Microsoft. At this time, the recommended
+workaround is to simply remove the <CODE>printenv</CODE> and
+<CODE>test-cgi</CODE> scripts from your site if this issue impacts
+you.
+
+<LI>If you do have other legitimate text/plain content on your site
+that is generated based on user input, you may need to configure
+your server to prevent IE from accessing it or change it to text/html
+so you can encode it. Alternatively, you can filter special
+characters if that is possible in your situation. Thankfully, this
+only impacts a very few sites.
+
+<LI>A number of Apache modules such as <CODE>mod_status</CODE> do not
+set an explicit character set on their output. Using the AddDefaultCharset
+directive will work around this. The modules that don't set an explicit
+character set are not normally accessible to users and they are not
+thought to pose a significant risk.
+
+<LI>What is necessary to ensure that sites that legitimately use character
+sets with different encodings of special characters, such as UTF-7, are
+protected. How can Apache facilitate this? This is a major issue for
+those with a significant amount of content in character sets other than
+iso-8859-1.
+
+
+</UL>
+
+<H2>Fixes from CHANGES file:</H2>
+<P>These will be expanded on as time permits. These patches are available
+in the current <A HREF="apache_1.3.11_css_patch.txt">Apache patch</A>
+against Apache 1.3.11.
+
+<PRE>
+ *) Add an explicit charset=iso-8859-1 to pages generated by
+ ap_send_error_response(), such as the default 404 page.
+ [Marc Slemko]
+
+ *) Add the AddDefaultCharset and AddDefaultCharsetName directives.
+ These allow you to tell Apache to specify the given character
+ set on any document that does not have one explicitly specified in
+ the headers. [Marc Slemko]
+
+ *) Properly escape various messages output to the client from a number
+ of modules and places in the core code. [Marc Slemko]
+
+ *) Change mod_actions, mod_autoindex, mod_expires, and mod_log_config to
+ not consider any parameters such as charset when making decisions
+ based on content type. This does remove some functionality for
+ some users, but means that when these modules are configured to do
+ particular things with particular MIME types, the charset should
+ not be included. A better way of addressing this for users who
+ want to set things on a per charset basis is necessary in the future.
+ [Marc Slemko]
+
+ *) mod_include now entity encodes output from "printenv" and "echo var"
+ by default. The encoding for "echo var" can be set to URL encoding
+ or no encoding using the new "encoding" attribute to the echo tag.
+ [Marc Slemko]
+
+</PRE>
+
+</BODY>
+</HTML>
Added: websites/staging/httpd/trunk/content/info/css-security/encoding_examples.html
==============================================================================
--- websites/staging/httpd/trunk/content/info/css-security/encoding_examples.html (added)
+++ websites/staging/httpd/trunk/content/info/css-security/encoding_examples.html Sun May 6 14:18:02 2012
@@ -0,0 +1,167 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+ <HEAD>
+ <TITLE>Cross Site Scripting Info: Encoding Examples</TITLE>
+ </HEAD>
+
+ <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
+ <BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#000080"
+ ALINK="#FF0000">
+ <DIV ALIGN="CENTER">
+ <IMG SRC="../../images/apache_sub.gif" ALT="[APACHE DOCUMENTATION]">
+ </DIV>
+ <H1 ALIGN="CENTER">Cross Site Scripting Info: Encoding Examples</H1>
+
+<H2>Introduction:</H2>
+
+<P>We trust you are already familiar with the Cross Site Scripting
+security problem and the concept behind how it works. If not, see
+the <A HREF="http://www.cert.org/advisories/CA-2000-02.html">CERT
+Advisory CA-2000-02</A> that has been released on this issue for
+details before continuing.
+
+<P>This document focuses on how you can safely encode data before
+it is output to the client. The main method of doing this is through
+entity encoding, as described in the CERT advisory, using entities
+such as "&lt;".
+
+<H2>General Comments on Encoding:</H2>
+
+<P>Note that, in general, many functions that perform entity encoding
+do so in a way which is only suitable for use outside attribute
+values, in normal block level elements such as a paragraph of text.
+Many of the functions referenced below are in this category. This
+means they may not encode characters such as the double or single
+quote. If you don't use quotation marks around an attribute value
+supplied from user input, then you need to encode even more
+characters. Always use quotes and you won't have to worry about
+that particular issue.
+
+<P>Unfortunately, the situation for encoding data within attribute
+values or within the body scripts (eg. within "<SCRIPT>"
+tags) is more complex and less understood. If you are in this
+situation, you may be wise to consider filtering special characters
+(as described in the <A
+HREF="http://www.cert.org/tech_tips/malicious_code_mitigation.html">CERT
+Tech Tip</A>) instead of encoding them. Generally, encoding is
+recommended because it does not require you to make a decision about
+what characters could legitimately be entered and need to be passed
+through and it has less of an impact on existing functionality.
+
+<P>The reason why safely encoding data within attribute values is
+difficult is because some characters that are not considered special
+characters can be arranged to have unexpected effects in certain
+attribute values. This is very specific to the tag the attribute
+is associated with and to how the client interprets it. For example,
+if you let the user enter the value for a HREF attribute, and you
+encode it properly, you could end up outputting a tag such as:
+
+<PRE>
+<A HREF="javascript:document.writeln(document.cookie + &quot;&lt;BR&gt;&quot;)">
+</PRE>
+
+Even though you have properly encoded special characters, many popular
+browsers will interpret a "javascript:" URL as containing JavaScript
+to execute in the context of the current document.
+
+<P>One of the issues that is still unresolved is exactly what HTML
+tags are "safe" to allow through, and what the algorithm for doing so
+is like. Many sites wish to allow users to enter a limited subset
+of "safe" HTML. This is still very much an open issue. It has been
+an issue for quite some time, and it is our hope that this Cross Site
+Scripting problem will help prompt more work into addressing it.
+
+<P>If you are encoding user entered data in a URL, then URL encoding (also
+known as percent encoding) is appropriate. Unfortunately, this can be
+a complex thing to get right because the special characters in "http://",
+for example, must remain unencoded because they are part of the syntax
+of the URL. Better solutions to deal with this are necessary.
+
+<P>Also note that some URL encoding functions encode a space into a "+" for
+historical reasons. This will only work in the query string for CGIs, and
+will not properly encode a space in other parts of the URL.
+
+<P>We realize that all these special situations and the lack of a single
+bulletproof set of steps for encoding user data, wherever it may occur on
+the page, makes the task of fixing this problem quite challenging in some
+cases. We wish we had a better answer, and are working on filling in the
+fuzzy areas.
+
+<H2>PHP Example:</H2>
+
+<PRE>
+<?
+$Text = "foo<b>bar";
+$URL = "foo<b>bar.html";
+echo HTMLSpecialChars($Text), "<BR>";
+echo "<A HREF=\"", rawurlencode($URL), "\">link</A>";
+?>
+</PRE>
+
+<P>Note that PHP also has a strip_tags() function that will remove all
+HTML tags from a string. Using this function in a manner such as:
+
+<PRE>
+ echo strip_tags($Text);
+</PRE>
+
+will strip all HTML from the input. However, if you use it in the form:
+
+<PRE>
+ echo strip_tags($Text, "<B>");
+</PRE>
+
+which only allows the "<B>" tag through, you are still often
+vulnerable to users inserting script code. By design, this function
+does not strip attributes from the tags. This means it is often
+possible to include things such as JavaScript event attributes.
+An example of a tag that would be allowed by the above strip_tags()
+call is:
+
+<PRE>
+ <B onmouseover="document.location='http://www.cert.org/'">
+</PRE>
+
+<P>Some clients accept such attributes on tags that are otherwise benign.
+
+<H2>Apache Module Example:</H2>
+
+<PRE>
+char *Text = "foo<b>bar";
+char *URL = "foo<b>bar.html";
+ap_rvputs(r, ap_escape_html(r->pool, Text), "<BR>", NULL);
+ap_rvputs(r, "<A HREF=\"", ap_escape_uri(r->pool, URL), "\">link</A>", NULL);
+</PRE>
+
+<H2>mod_perl Example:</H2>
+
+<PRE>
+$Text = "foo<b>bar";
+$URL = "foo<b>bar.html";
+$r->print(Apache::Util::escape_html($Text), "<BR>");
+$r->print("<A HREF=\"", Apache::Util::escape_uri($URL), "\">link</A>");
+</PRE>
+
+<P>This uses the same functions as in the Apache Module Example, called
+from Perl instead of directly from C.
+
+<H2>Perl Example:</H2>
+
+<PRE>
+use CGI ();
+$Text = "foo<b>bar";
+$URL = "foo<b>bar.html";
+print CGI::escapeHTML($Text), "<BR>";
+print qq(<A HREF="), CGI::escape($URL), qq(">link</A>);
+</PRE>
+
+<P>Note that if you use the CGI.pm module in its full intended role,
+instead of just using helper functions from it, it will automatically
+encode special characters in many places. Unfortunately, this is yet
+again likely not sufficient in all situations. See the documentation at
+<A HREF="http://stein.cshl.org/WWW/software/CGI/">
+http://stein.cshl.org/WWW/software/CGI/</A> for more details on what
+this module can do.
+
+</BODY>
+</HTML>
Added: websites/staging/httpd/trunk/content/info/css-security/index.html
==============================================================================
--- websites/staging/httpd/trunk/content/info/css-security/index.html (added)
+++ websites/staging/httpd/trunk/content/info/css-security/index.html Sun May 6 14:18:02 2012
@@ -0,0 +1,147 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<HTML>
+ <HEAD>
+ <TITLE>Cross Site Scripting Info</TITLE>
+ </HEAD>
+
+ <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
+ <BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#000080"
+ ALINK="#FF0000">
+ <DIV ALIGN="CENTER">
+ <IMG SRC="../../images/apache_sub.gif" ALT="[APACHE DOCUMENTATION]">
+ </DIV>
+ <H1 ALIGN="CENTER">Cross Site Scripting Info</H1>
+<CENTER>Last Modified: <!--#flastmod file="index.html"--></CENTER>
+
+<H2>Introduction:</H2>
+
+<P>This page contains information about the Cross Site Scripting
+security issue, how it impacts Apache itself, and how to properly
+protect against it when using Apache related technologies.
+
+<P>For an overview of the issue, please see the <A
+HREF="http://www.cert.org/advisories/CA-2000-02.html">CERT Advisory
+CA-2000-02</A> that has been released on the issue. You should
+also review their related <A
+HREF="http://www.cert.org/tech_tips/malicious_code_mitigation.html">
+Understanding Malicious Content Mitigation For Web Developers</A> tech
+tips document. The CERT advisory also contains links to a number of
+documents that Microsoft has put out on the issue which are also worth
+reviewing if this issue impacts you. The information contained in
+these documents will not be repeated here; this information assumes you
+have read these documents and are familiar with the issue.
+
+<P>We would like to emphasize that this is <B>not</B> an attack
+against any specific bug in a specific piece of software. It is
+not an Apache problem. It is not a Microsoft problem. It is not
+a Netscape problem. In fact, it isn't even a problem that can be
+clearly defined to be a server problem or a client problem. It is
+an issue that is truly cross platform and is the result of unforeseen
+and unexpected interactions between various components of a set of
+interconnected complex systems.
+
+<P>There are specific bugs in a wide range of web server products,
+including Apache, that allow for or contribute to the exploitation
+of this security problem. These bugs should not be there and
+need to be fixed. But it is critical to realize that this is only
+a tiny part of the total issue. The most serious issue is in all
+the site specific code that generates dynamic content. We are
+bringing you this information to educate you on the issues that
+have been discovered in Apache that are related to this security
+problem but, more importantly, help educate you on how this may
+impact your own local code developed using Apache related technologies
+and how you can fix it.
+
+<P>There is no "golden bullet" patch that server or client vendors
+can release that will magically fix this issue across all web
+servers or clients using that product.
+
+<P>We would also like to point out that it is important to
+understand that this is not the old, well known issue, that if a site
+allows user A to submit content that is viewed by user B, it has to
+be properly encoded. This vulnerability is when the content is both
+submitted and viewed strictly by user A. Due to the difficulty of
+properly encoding output in all situations, many sites do not worry
+about encoding data that is only shown to the user that sent the data
+in their request due to the mistaken assumption that this doesn't pose
+a security threat.
+
+<H2>Does this impact my web site?</H2>
+
+<P>This is a serious security issue, with potential implications
+that are only starting to be understood. However, it is critical
+to realize that this problem does not expose any way to break into
+the server itself. What it allows is for malicious attackers to
+potentially take control of the interaction between a user and a
+website. If your website contains entirely static content with
+all information being publicly accessible, an attacker can gain
+very little from taking over this interaction. It is likely that the
+most serious thing that an attacker can potentially do in this situation
+is change how a page appears to a particular user.
+
+<P>The sites where this poses the most potential danger are sites
+where users have some type of account or login and where they can
+perform actions with real world implications or access data that
+should not be publicly available. This security problem poses a
+serious threat to such sites; it isn't necessary to break into the
+server to take control of a site if instead you can gain access on
+the user's end of things.
+
+<H2>Ok, where is the Apache related information?</H2>
+
+<P>Right here:
+
+<UL>
+<LI><A HREF="apache_specific.html">Apache HTTP server specific information</A>
+<LI>Apache 1.3.12, which provides some protection against certain instances of
+ this problem.
+<LI>Older <A HREF="apache_1.3.11_css_patch.txt">Apache patch</A> against
+1.3.11 that addressed the known issues in that version of Apache.
+<LI><A HREF="encoding_examples.html">Encoding Examples</A> page, describing
+how to properly encode your output to protect against this problem using
+common Apache related technologies, such as Apache modules, Perl,
+and PHP.
+</UL>
+
+<H2>The Future</H2>
+
+<P>We do not expect this to be the last word on methods of exploiting
+this problem. It is likely that there will be more changes to Apache in
+the future to help users deal with this issue, even if no more bugs are
+found in Apache itself. Although we do provide most of the necessary
+information for sites to protect themselves against this type of attack,
+there are still many open issues associated with this issue.
+
+<P>We realize that this is a complex issue and expect to update these
+pages to describe the issues and fixes in more depth as time permits.
+
+<H2>Why the name "Cross Site Scripting"?</H2>
+
+<P>This issue isn't just about scripting, and there isn't necessarily
+anything cross site about it. So why the name? It was coined earlier
+on when the problem was less understood, and it stuck. Believe me, we
+have had more important things to do than think of a better name.
+<g>.
+
+<H2>Comments and Suggestions</H2>
+
+<P>You can send any comments or suggestions about this set of pages to
+<A HREF="mailto:marc@apache.org">marc@apache.org</A>. Note that I
+can not respond to questions or requests for assistance, so if that is
+what you are about to send then please save yourself the effort.
+
+<H2>Change History</H2>
+<UL>
+<LI>Wed Feb 2 01:06:01 MST 2000: initial revision.
+</UL>
+
+<H2>Thanks</H2>
+Thanks to <A HREF="http://www.cert.org/">CERT</A> for contacting the
+Apache Software Foundation and not only allowing us to participate
+in the evaluation and release of this issue, but actively supporting
+our participation. We would also like to thank <A
+HREF="http://www.microsoft.com/">Microsoft</A> for their research and
+cooperation in dealing with this issue.
+
+</BODY>
+</HTML>
Added: websites/staging/httpd/trunk/content/info/index.xml
==============================================================================
--- websites/staging/httpd/trunk/content/info/index.xml (added)
+++ websites/staging/httpd/trunk/content/info/index.xml Sun May 6 14:18:02 2012
@@ -0,0 +1,45 @@
+<document>
+ <properties>
+ <author email="docs@httpd.apache.org">Documentation Group</author>
+ <title>Apache HTTP Server Miscellaneous Information</title>
+ </properties>
+<body>
+
+<section>
+<title>Other Information</title>
+
+<section id="library">
+<title>Project Library</title>
+<p>The <a href="../library/">Project Library</a> contains links to
+various documents and resources relevant to the Apache Web server.</p>
+</section>
+
+<section id="css-security">
+<title>Cross Site Scripting security problem</title>
+<p><a href="css-security/">Information</a> on a security vulnerability resulting from the interaction
+between client-side scripting and server-side dynamic content.</p>
+</section>
+
+<section id="dev">
+<title>Apache HTTP Server Development Site</title>
+<p>The <a href="../dev/">Apache development section</a> includes
+information for Apache developers and folks interested in testing
+development releases of Apache software.</p>
+</section>
+
+<section id="books">
+<title>Apache HTTP Server Books</title>
+<p>list of books written about the Apache HTTP Server can be found on
+<a href="http://www.apachebookstore.com/">www.apachebookstore.com</a></p>
+</section>
+
+<section id="mirror">
+<title>How to mirror</title>
+<p>A <a href="http://www.apache.org/info/how-to-mirror.html">description</a>
+of how to setup your site as an Apache mirror.</p>
+</section>
+
+</section>
+
+</body>
+</document>
Added: websites/staging/httpd/trunk/content/info/security_bulletin_20020617.txt
==============================================================================
--- websites/staging/httpd/trunk/content/info/security_bulletin_20020617.txt (added)
+++ websites/staging/httpd/trunk/content/info/security_bulletin_20020617.txt Sun May 6 14:18:02 2012
@@ -0,0 +1,82 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+
+
+- ---------------------------------------------------------------
+THIS DOCUMENT IS SUPERSEDED BY ASF BULLETIN 20020620
+See http://httpd.apache.org/info/security_bulletin_20020620.txt
+- ---------------------------------------------------------------
+
+Date: June 17, 2002
+Last Updated: June 18, 2002, 14:21 (-0400)
+Product: Apache Web Server
+Versions: Apache 1.3 all versions including 1.3.24, Apache 2 all versions
+up to 2.0.36, Apache 1.2 all versions 1.2.2 onwards.
+
+Introduction:
+
+While testing for Oracle vulnerabilities, Mark Litchfield discovered a
+denial of service attack for Apache on Windows. Investigation by the
+Apache Software Foundation showed that this issue has a wider scope, which
+on some platforms results in a denial of service vulnerability, while on
+some other platforms presents a potential a remote exploit vulnerability.
+
+We were also notified today by ISS that they had published the same issue
+which has forced the early release of this advisory.
+
+The Common Vulnerabilities and Exposures project (cve.mitre.org) has
+assigned the name CVE-2002-0392 to this issue.
+
+Description:
+
+Versions of the Apache web server up to and including 1.3.24 and 2.0 up to
+and including 2.0.36 contain a bug in the routines which deal with invalid
+requests which are encoded using chunked encoding. This bug can be triggered
+remotely by sending a carefully crafted invalid request. This functionality
+is enabled by default.
+
+In most cases the outcome of the invalid request is that the child process
+dealing with the request will terminate. At the least, this could help a
+remote attacker launch a denial of service attack as the parent process
+will eventually have to replace the terminated child process and starting
+new children uses non-trivial amounts of resources.
+
+On the Windows and Netware platforms, Apache runs one multithreaded child
+process to service requests. The teardown and subsequent setup time to
+replace the lost child process presents a significant interruption of
+service. As the Windows and Netware ports create a new process and reread
+the configuration, rather than fork a child process, this delay is much
+more pronounced than on other platforms.
+
+In Apache 2.0 the error condition is correctly detected, so it will not
+allow an attacker to execute arbitrary code on the server. However
+platforms could be using a multithreaded model of multiple concurrent
+requests per child process (although the default preference remains
+multiple processes with a single thread and request per process, and most
+multithreaded models continue to create multiple child processes). Using
+any multithreaded model, all concurrent requests currently served by the
+affected child process will be lost.
+
+In Apache 1.3 the issue causes a stack overflow. Due to the nature of the
+overflow on 32-bit Unix platforms this will cause a segmentation violation
+and the child will terminate. However on 64-bit platforms the overflow
+can be controlled and so for platforms that store return addresses on the
+stack it is likely that it is further exploitable. This could allow
+arbitrary code to be run on the server as the user the Apache children are
+set to run as. We have been made aware that Apache 1.3 on Windows is
+exploitable in a similar way as well.
+
+Users of Apache 1.3 should upgrade to 1.3.26, and users of Apache 2.0
+should upgrade to 2.0.39, which contain a fix for this issue.
+
+
+-----BEGIN PGP SIGNATURE-----
+Version: PGP 6.5.8
+
+iQEVAwUBPRK9xtc6kLhrup1dAQGwMgf+I6+RMNXdjO1fQWT5nui4NhWcjZ4jPSwJ
+D4/geaY0EvffTw4FENogKVNimeqMeEKWVnLrMlqRyDmokVliszhva9Mbjy0PWgZ2
+YNjFUEzHckGB49Ex3KRnSwg6A0ife5OWKTEdyRBCfP7PPowsa53OTbz6wxMA8+dK
+5l5zr/XNOoPFtaEB8/dGqaYDrpkcjrcJAUYhGfRm2vB8UJXpilxYq5ATtSLaTKGS
+JRlfObSdMlfCeWZk2dk7j6bpczulVriE6xvUHUiMxSCy+XbOcgZyNeSUmqYEpvZm
+/tmsCQ9RAA72w+lIZQ0JIr1p7spaNOSPdIwM4iHcbEcubLdDEmH/xg==
+=H4Cy
+-----END PGP SIGNATURE-----
Added: websites/staging/httpd/trunk/content/info/security_bulletin_20020620.txt
==============================================================================
--- websites/staging/httpd/trunk/content/info/security_bulletin_20020620.txt (added)
+++ websites/staging/httpd/trunk/content/info/security_bulletin_20020620.txt Sun May 6 14:18:02 2012
@@ -0,0 +1,99 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+
+
+SUPERSEDES: http://httpd.apache.org/info/security_bulletin_20020617.txt
+
+Date: June 20, 2002
+Product: Apache Web Server
+Versions: Apache 1.3 all versions including 1.3.24; Apache 2.0 all versions
+up to 2.0.36; Apache 1.2 all versions.
+
+CVE-2002-0392 (mitre.org) [CERT VU#944335]
+
+- ----------------------------------------------------------
+ ------------UPDATED ADVISORY------------
+- ----------------------------------------------------------
+Introduction:
+
+While testing for Oracle vulnerabilities, Mark Litchfield discovered a
+denial of service attack for Apache on Windows. Investigation by the
+Apache Software Foundation showed that this issue has a wider scope, which
+on some platforms results in a denial of service vulnerability, while on
+some other platforms presents a potential remote exploit vulnerability.
+
+This follow-up to our earlier advisory is to warn of known-exploitable
+conditions related to this vulnerability on both 64-bit platforms and
+32-bit platforms alike. Though we previously reported that 32-bit
+platforms were not remotely exploitable, it has since been proven by
+Gobbles that certain conditions allowing exploitation do exist.
+
+Successful exploitation of this vulnerability can lead to the execution of
+arbitrary code on the server with the permissions of the web server child
+process. This can facilitate the further exploitation of vulnerabilities
+unrelated to Apache on the local system, potentially allowing the intruder
+root access.
+
+Note that early patches for this issue released by ISS and others do not
+address its full scope.
+
+Due to the existence of exploits circulating in the wild for some platforms,
+the risk is considered high.
+
+The Apache Software Foundation has released versions 1.3.26 and 2.0.39
+that address and fix this issue, and all users are urged to upgrade
+immediately.
+
+As a reminder, we respectfully request that anyone who finds a potential
+vulnerability in our software reports it to security@apache.org.
+
+
+- ----------------------------------------------------------
+Full Description:
+
+Versions of the Apache web server up to and including 1.3.24 and 2.0
+up to and including 2.0.36 contain a bug in the routines that deal with
+requests encoded using chunked encoding. This bug can be triggered
+remotely, and this functionality is enabled by default.
+
+In most cases the outcome of the invalid request is that the child process
+dealing with the request will terminate. At the least, this could help a
+remote attacker launch a denial of service attack as the parent process
+will eventually have to replace the terminated child process, and starting
+new children uses non-trivial amounts of resources.
+
+On the Windows and Netware platforms, Apache runs one multithreaded child
+process to service requests. The teardown and subsequent setup time to
+replace the lost child process presents a significant interruption of
+service. As the Windows and Netware ports create a new process and reread
+the configuration, rather than fork a child process, this delay is much
+more pronounced than on other platforms.
+
+In Apache 2.0, the error condition is correctly detected, so it will not
+allow an attacker to execute arbitrary code on the server. However,
+platforms could be using a multithreaded model with multiple concurrent
+requests per child process (although the default preference remains
+multiple processes with a single thread and request per process, and most
+multithreaded models continue to create multiple child processes). Using
+any multithreaded model, all concurrent requests currently served by the
+affected child process will be lost.
+
+In Apache 1.3, the issue should cause a stack overflow. Due to the nature
+of the overflow on 32-bit Unix platforms, this should cause a segmentation
+violation and cause the child to terminate. However, some 32-bit platforms
+are indeed exploitable due to quirks in their implementation. 64-bit
+platforms are also likely to be exploitable due to a data type conversion
+that occurs within Apache. We have been made aware that Apache 1.3 on
+Windows is exploitable in a similar way as well.
+
+
+-----BEGIN PGP SIGNATURE-----
+Version: PGP 6.5.8
+
+iQEVAwUBPRK8ztc6kLhrup1dAQEfzQf+NbNSVtg+nrcipH2DEnsLCbd0odjwHAZM
+gBpJPShl5D+AFhxu3gNiMkOtnQs+LkyCQinYJErVNXUzK5das9VyBdtGswsXsKs0
+N/stacgdMg8fxenyK0CDhlUl3QLaVSit08Hwads0yYbeIEAKoLx/n7AvGr2CvDnh
+fStxMvaiJgqadeq3udRSyy1UMl+hrxy2xMGZ3ducPMi5Bt/riZh+NJuEKazHosDY
+98wEvGQWPMWoYOWxI1Y45slu+QVrkbrgnkKvMDT6WHBDzD/we3I6ulHjoaBjMEF0
+7m2bEBFL902SE4UDf1n2DxLFZHR8VMSFwUhqkPRNLxVbV42yxJwa2Q==
+=vV/N
+-----END PGP SIGNATURE-----
Added: websites/staging/httpd/trunk/content/info/security_bulletin_20020809a.txt
==============================================================================
--- websites/staging/httpd/trunk/content/info/security_bulletin_20020809a.txt (added)
+++ websites/staging/httpd/trunk/content/info/security_bulletin_20020809a.txt Sun May 6 14:18:02 2012
@@ -0,0 +1,67 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+
+For Immediate Disclosure
+
+=============== SUMMARY ================
+
+ Title: Apache 2.0 vulnerability affects non-Unix platforms
+ Date: 9th August 2002
+ Revision: 2
+ Product Name: Apache HTTP server 2.0
+ OS/Platform: Windows, OS2, Netware
+Permanent URL: http://httpd.apache.org/info/security_bulletin_20020809a.txt
+ Vendor Name: Apache Software Foundation
+ Vendor URL: http://httpd.apache.org/
+ Affects: All Released versions of 2.0 through 2.0.39
+ Fixed in: 2.0.40
+ Identifiers: CVE-2002-0661
+
+=============== DESCRIPTION ================
+
+Apache is a powerful, full-featured, efficient, and freely-available Web
+server. On the 7th August 2002, The Apache Software Foundation was
+notified of the discovery of a significant vulnerability, identified by
+Auriemma Luigi <bu...@sitoverde.com>.
+
+This vulnerability has the potential to allow an attacker to inflict
+serious damage to a server, and reveal sensitive data. This vulnerability
+affects default installations of the Apache web server.
+
+Unix and other variant platforms appear unaffected. Cygwin users are
+likely to be affected.
+
+=============== SOLUTION ================
+
+A simple one line workaround in the httpd.conf file will close the
+vulnerability. Prior to the first 'Alias' or 'Redirect' directive, add
+the following directive to the global server configuration:
+
+ RedirectMatch 400 "\\\.\."
+
+Fixes for this vulnerability are also included in Apache HTTP server
+version 2.0.40. The 2.0.40 release also contains fixes for two minor
+path-revealing exposures. This release of Apache is available at
+http://www.apache.org/dist/httpd/
+
+More information will be made available by the Apache Software
+Foundation and Auriemma Luigi <bu...@sitoverde.com> in the
+coming weeks.
+
+=============== REFERENCES ================
+
+The Common Vulnerabilities and Exposures project (cve.mitre.org) has
+assigned the name CVE-2002-0661 to this issue.
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0661
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.0.6 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+iQCVAwUBPVQro+6tTP1JpWPZAQEyNgP/Z/b97smPeXO5cpHtvj4cJc4PFWCZwrmI
+3A+Pevcj12KUAbBqUhtt72bV12xrnJ1dVe6q2EEmGq5HAlC76IZTww+XPgYPjwD6
+Du9CPZ9PYFo3IguPYEVSpB6dIOhgsJQ3OswsJ8KLqdyl2EpqG4BXX3/L4DklMaza
+XmziDuXjoZc=
+=4WPC
+-----END PGP SIGNATURE-----
+
+