![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: mhp@netcraft.com (Mike Prettejohn)
To: lwn@lwn.net
Subject: October 2001 Netcraft Web Server Survey
Date: Thu, 1 Nov 2001 06:20:33 GMT
The October 2001 Netcraft Web Server Survey is out;
http://www.netcraft.com/survey/
Top Developers
Developer September 2001 Percent October 2001 Percent Change
Apache 19279109 59.51 18851352 56.89 -2.62
Microsoft 8895343 27.46 9607363 28.99 1.53
iPlanet 1319271 4.07 1278720 3.86 -0.21
Zeus 783261 2.42 775438 2.34 -0.08
Active Sites
Developer September 2001 Percent October 2001 Percent Change
Apache 7924169 60.86 7781145 61.36 0.50
Microsoft 3905978 30.00 3612310 28.49 -1.51
iPlanet 268063 2.06 249418 1.97 -0.09
Zeus 166077 1.28 171023 1.35 0.07
Around the Net
The number of Apache sites found by this months survey actually fell
in absolute numbers as well as percentages, primarily as a result a
routing problem in Germany causing around a 5-10% reduction in sites
responding in that country, and more significant losses of mass shared
hosting sites at [1]Exodus, [2]KPNQwest, and [3]Bell South.
Emphasizing the hard times in the mass hosting industry, Microsoft's
significant loss of active sites is primarily attributable to an
adjustment of the business model at a large hoster of free shared
sites [4]homestead.com. which this month [5]revoked access to many
of their users free sites until they pay.
Microsoft-IIS competitive upgrades
Over the last two months most of the vendors in the web server
marketplace have run competitive upgrade initiatives aimed at
Microsoft-IIS.
[6]Iplanet is [7]offering a reduced price for sites
transitioning to Netscape-Enterprise, and also including a free
copy of the [8]ChiliSoft ASP implementation to assist people
migrating ASP applications.
Chilisoft competitor [9]Halcyon Software has a similar program,
with its marketing [10]material making an interesting point that
major Microsoft partners [11]IBM and [12]HP each have policies
forbidding the use of Microsoft-IIS on internet facing networks.
In the case of IBM this is demonstrably true with only 3 out of
several hundred [13]IBM sites running Microsoft-IIS, and, as the
Halcyon material describes, these are the sites responsible for
IBM's entries in the [14]defacement archives.
However, in the case of HP any ban on Microsoft-IIS must be
very weakly enforced, as there is a varied mixture of Microsoft-IIS,
Apache and Netscape-Enterprise running HP's [15]sites, though
Microsoft-IIS critics would point out that HP has suffered many more
[16]defacements over the last year than IBM.
[17]Zeus has [18]announced a new version of their server with a
comprehensive set of new facilities, and some [19]strong
statements on Zeus' security track record.
Zeus strategy includes one of "embrace and extend" with Microsoft-IIS,
by promoting the use of Zeus as a secure reverse proxy sitting in
front of existing Microsoft-IIS deployments. This could find favour
with busy Microsoft-IIS sites as they can continue to develop
their site in exactly the same way as before, and view the Zeus
server as a blackbox in front of the existing server, providing
caching and url filtering.
[20]Oracle will now support [21]their version of Apache across all
platforms including Win32. However, this move may be as much aimed
at IBM, who also provide Apache in conjunction with their
WebSphere application server, as against Microsoft.
It is interesting to be able to report on how some of the competitive
offers are faring. During the last month, some 1,506 Microsoft-IIS
sites have moved to Zeus, and 1,719 are now running Netscape-Enterprise.
Ironically, the lions share of the 131,417 sites which have moved from
Microsoft-IIS, have moved to Apache which has no explicit campaign
to encourage Microsoft-IIS sites to transition to the server,
though at least 4500 of these are running on Cobalt servers,
traditionally a close competitor for Microsoft in the dedicated
server market.
Some sites that have made the move include [22]fatbrain.com,
[23]auctions.zdnet.com, [24]electronics.cnet.com, and [25]www.nba.com,
while Halcyonsoft have taken their own advice and switched
[26]www.halcyonsoft.com to Win32 Apache.
Web Server Security
Our table of vulnerabilities in SSL sites tested by us for the first
time in each month, attracted a lot of comment last month. One request
was that we should show more clearly the percentages of sites allowing
execution of commands on the server, rather than just showing
statistics for individual vulnerabilities, as these would be inflated
by a given site being concurrently vulnerable to multiple exploits.
This is set out in the table below. The number of sites found to be
vulnerable by our [27]tests peaked at over 60% in June, and shows how
ripe the internet was for Code Red. The significant fall since shows
the combined impact of Code Red, and Microsoft's first [28]cumulative
security patch.
One would expect that Microsoft is delighted at the success of the
cumulative patch, but disappointed that a significant minority of the
Microsoft-IIS community is still very exposed and some 1 in 10 sites
providing ecommerce and encrypted transactions have backdoors in place
to allow external attackers to monitor the systems, and have commands
executed on the machines.
% of Vulnerable Microsoft-IIS SSL Sites to October 2001
http://www.netcraft.com/survey/comp0110.gif
Vulnerabilities
May-01 Jun-01 Jul-01 Aug-01 Sep-01 Oct-01
Administration pages accessible 23.08% 35.71% 11.76% 10.26% 17.14% 24.69%
Cross-site scripting 73.08% 57.14% 36.47% 19.23% 22.86% 13.58%
URL decode bugs 34.62% 42.86% 32.94% 16.67% 17.14% 12.35%
Sample pages and scripts 15.38% 28.57% 14.12% 16.67% 17.14% 25.93%
Server paths revealed 36.54% 50.00% 22.94% 6.41% 8.57% 9.88%
Viewing script source code 25.00% 21.43% 11.18% 3.85% 11.47% 4.94%
WebDAV configuration 30.77% 50.00% 47.65% 43.59% 37.14% 34.57%
IIS .printer overflow 23.08% 21.43% 10.00% 2.56% 2.86% 1.23%
Code Red Vulnerable 0.00% 14.29% 34.71% 2.00% 0.00% 2.47%
root.exe installed 5.77% 7.14% 10.00% 12.82% 8.57% 11.11%
Internet Research from Netcraft.
Netcraft does commercial internet research projects. These include
custom cuts on the Web Server Survey data, hosting industry analysis,
corporate use of internet technology and bespoke projects. All of the data
is gathered through network exploration, not teleresearch.
sales@netcraft.com
Network Security Testing from Netcraft.
Netcraft provides automated network security testing of customer networks
and consultancy audits of ecommerce sites, Clients include IBM,
Hewlett Packard, Deloitte & Touche, Energis, Britannic Assurance,
Guardian Royal Exchange, Lloyds of London, Laura Ashley, etc.
Details at http://www.netcraft.com/security/
References
1. http://www.exodus.net/
2. http://www.kpnqwest.net/
3. http://www.bellsouth.net/
4. http://www.homestead.com/
5. http://anything.homestead.com/
6. http://www.iplanet.com/
7. http://www.iplanet.com/about_us/press_release/web_security_5_1_1_100801.html
8. http://www.chilisoft.com/iws/default.asp
9. http://www.halcyonsoft.com/
10. http://www.halcyonsoft.com/news/immunity.asp
11. http://www.ibm.com/
12. http://www.hp.com/
13. http://www.netcraft.com/Survey/Reports/200110/developers/ibm.html
14. http://defaced.alldas.de/?search=ibm.com
15. http://www.netcraft.com/Survey/Reports/200110/developers/hp.html
16. http://defaced.alldas.de/?search=hp.com
17. http://www.zeus.com/
18. http://www.zeus.com/news/articles/011017-001/
19. http://news.cnet.com/news/0-1003-200-7615702.html
20. http://www.oracle.com/
21. http://otn.oracle.com/products/ias/pdf/ohs-overview-v1022.pdf
22. http://www.netcraft.com/cgi-bin/Survey/whats?host=fatbrain.com&port=80
23. http://www.netcraft.com/cgi-bin/Survey/whats?host=auctions.zdnet.com&port=80
24. http://www.netcraft.com/cgi-bin/Survey/whats?host=electronics.cnet.com&port=80
25. http://www.netcraft.com/cgi-bin/Survey/whats?host=www.nba.com&port=80
26. http://www.netcraft.com/cgi-bin/Survey/whats?host=www.halcyonsoft.com&port=80
27. http://www.netcraft.com/security/
28. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/topics/codered.asp
To unsubscribe from the Netcraft Web Server Survey Announcements list
send the message
unsubscribe webserver-survey
to majordomo@netcraft.com
To resubscribe send the message
subscribe webserver-survey
Mike
--
Mike Prettejohn
mhp@@netcraft.com Phone +44 1225 447500 Fax +44 1225 448600
Netcraft Rockfield House Granville Road Bath BA1 9BQ England