Weblog

23 January 2016, 12:03

Can you bypass Hiawatha's SQL-injection protection?

http://sqli.hiawatha-webserver.org/

Tags: security
by Hugo Leisink
4 December 2015, 18:13

A month ago, I was interviewed by Chris van 't Hof, during his Tek Tok sessions at the National Cyber Security Research Agenda symposium. I've put the recorded audio file online, in you want to hear what was discussed. Of course, the session was in Dutch. The image below is what I used during the interview.

An impression of the session:

Tags: funpromo
by Hugo Leisink
25 November 2015, 20:06

Today, I've released a new major version of the Hiawatha webserver. The biggest change in v10.0 is a different way of handling Directory sections. The path is now relative to the document root of a website.

VirtualHost {
    Hostname = www.example.com
    ...
    UseDirectory = static, files
}

Directory {
    DirectoryID = static
    Path = /css, /fonts, /images, /js
    ExpirePeriod = 2 weeks
}

Directory {
    DirectoryID = files
    Path = /files
    ShowIndex = yes
}

Another new feature is the support for GZip content encoding, which makes the UseGZfile obsolete. The rest of the new features can be found in the ChangeLog.

by Hugo Leisink

I've released a first beta version of Hiawatha v10.0. The ChangeLog for this release is:

  • Usage of Directory sections changed.
  • Added support for RFC 5785.
  • Added support for GZip compression. Removed the UseGZfile option.
  • Added ECDSA support for TLS 1.0 and TLS 1.1.
  • Replaced UrlToolkit Expire option with ExpirePeriod in Directory section.
  • Replaced IgnoreDotHiawatha option with UseLocalConfig.
  • Removed the VolatileObject option.
  • Improved SQL injection detection.
  • mbed TLS updated to 2.2.0.

I really like to hear your thoughts on this one. A copy can, as always, be obtained at the download page.

by Hugo Leisink
3 November 2015, 18:00

Here are my plans for the next major release of the Hiawatha webserver. All are configuration related.

  • The biggest change is the different way of handling Directory{} sections. Directory settings will be linked to virtual hosts, just like UrlToolkits and FastCGI servers. Paths will be relative to the DocumentRoot of the virtual host.
    VirtualHost {
      ...
      UseDirectory = mydir[, ...]
    }
    
    Directory {
      DirectoryID = mydir
      Path = /files
      ...
    }
    
  • Add support for on-the-fly GZip content encoding. Will make the UseGZfile option obsolete.
  • Make 'yes' the default for IgnoreDotHiawatha.
  • Remove the VolatileObject option. This can also be done via a CGI application.
  • Remove the UserWebsites option. Nobody uses it and it can be simulated via the Alias option.

Please, let me know what you think of it.

by Hugo Leisink