New User Interface
The user interface has been given a more modern looking theme.
26 June 2007
Patch for Admin XSS issue
KeyFocus issued a patch for a cross site scripting issue that has recently been identified in the KF Web Server admin script.
We consider this issue to be of minor severity as it does not affect web sites hosted by the web server.
The problem is not in the web server itself but in the admin script hosted by the server. In order to access this script the attacker would need to be logged onto the server locally and have the admin password. With that level of access they would already have complete control of the web server configuration, in effect root access, so there would be no need to use this technique.
We do take this issue and all security issues seriously and have issued a patch which can be obtained from the download page.
17 June 2006
Faster CGI Performance
The way the server interacts with CGI applications such as PHP and Perl has be re-written to make it much faster.
This is most noticable when the CGI pages are large or when CGI is used to download big files.
16 February 2006
User Interface Improvements
A link to the hosted website has been added to each website in the status menu, allowing the web site to be viewed by a single click.
Additional Path Info
We have added support for additional virtual directories in the URL as described in the CGI standard.
Many scripts use this facility to pass parameters to the script without the need for a query. This has the benefit of providing permalinks.
will call the script /post.php and pass /2005/02/ in the PATH_INFO envorinment variable.
This feature is only available for files types set up with a CGI filter map.
It is turned off by default as it has a slight impact on performance and can lead to confusion if not required.
To enable it go to the Server -> General menu.
URL Re-write Rules
URL Rewrite Rules are a powerful feature that allows you to manipulate the URL received by the web server into a different form.
Rewrite Rules can do everything an alias can do and more, but they are complex to set up.
They work by searching the URL for a specified pattern and then replacing it with the substitution text.
The pattern is a perl compatible regular expression.
The substitution can include 'back-references', which refer to the sub-patterns in the pattern.
This allows very sophisticated substitutions to be made.
11 October 2003
Large CGI post
A problem that limited the maximum size of data that could be posted to a CGI page has been removed.
31 August 2003
Serveral changes have been made to the server internals to make it faster and more reliable.
Change to log format
The W3C logfile output has been changed to make it more compatible with the analog log file analyser.
17 April 2003
CGI Clear Browser Cache
If this is checked then CGI pages will contain a no-cache header added to returned page.
This ensures a users browser does not store the page for even short perions of time.
Use this option if you have a dynamic web site with constantly changing pages.
To access this option go to the Web Sites -> Cache sub-menu.
Now works with pages containing queries.
Monitor pop up menu
The pop up menu now always appears in the correct place.
21 March 2003
Admin Interface Released As Open Source
KeyFocus has released the source code for the Admin Interface to enable you to make custom modifications and translate it into other languages.
The Admin Interface has been released under the Mozilla Public License.
The rest of KF Web Server is not subject to this license and the source code will not be released.
Internet Explorer Error Messages
When an error message is returned from a web server Microsoft Internet Explorer sometimes decides to display its
own error page instead of the error page returned by the server. This was the case with the "404 Not Found" error
page returned by KF Web Server. This is a non standard and undocumented Microsoft feature.
KF Web Server now returns an error page that Microsoft Internet Explorer will always display. If you are using a "custom error script", then you will have to update it or replace it with the contents of the
file "servererror.wkf.new", that is installed as part of this release.
Thanks to Hugo González for suggesting a solution to this issue.
Range Requests Problem
A flaw in the way the server handled certain types of range request has been corrected.
This affected certain special download acceleration tools.
Thanks to Jose for bringing this to our attention.
Server Running Time
The server running time displayed in the status page of the administration interface could be wrong,
depending on the time zone.
Thanks to all the users who pointed this out.
Log Time always in GMT
A bug was introduced in version 2.0.0 that caused the server to always use Greenwich Mean Time
for log entries even when not specified in the configuration. This has now been fixed.
Thanks to Gary Raymond for spotting this one.
25 January 2003
Rotating Log Files
In previous versions all request to a web site were written to a single log file. This means the log file would keep
growing. It is now possible to rotate the log files each day, week or month. This makes managing
and archiving old log files a lot easier. When a new log file is created the date is added to its name.
CGI Executable Direct Execution
Certain CGI EXE programs are designed to be run directly from a HTML link. Previously these types of application
were not allowed in KFWS for security reasons. It is now possible for them to be executed.
Host Wild Card
It is now possible to add a wild card to a domain name so that a web site can be matched against a number of similar
domain names. A new field called "Server Match Name" has been added to the Advanced screen for each web site.
KF Web Server can now cache output from CGI applications. This can lead to a dramatic increase in performance
for sites that have a large number of users.
Support for large files
In previous versions a file was loaded completely into memory, before being sent to a client. A site hosting large files,
e.g. 100+ mb, would experience a performance hit as the web server used a lot of the available system memory. This version
handles large files in small chunks, without the need for a large amount of memory.
The Sin Bin is a mechanism to restrict clients that make excessive demands on the web server, by slowing down responses to
their requests, or even excluding them from the server altogether.
Disable Range Requests
Range requests are used by download utilities to download different parts of a large file simultaneously.
Turning off this option will prevent such utilities from working, but not prevent a normal browser from downloading a file.
Monitor Busy Indicator
The Monitor Busy Indicator now works when KFWS is installed as a systems service on Windows XP.
Bad URL Security Problem
A flaw in the way the server handled certain invalid URL paths has been corrected.
Thanks to Matt Murphy for bringing this to our attention.
Security vulnerability - malformed header
A security vulnerability exists in all previous versions where a hacker using a special malformed
http header could cause a buffer over-flow. This is fixed in this version.
The following event is written to the system log, "Request Error: Invalid header", if someone attempts to attack the server in this way.
Thank you to Paul Beechey of QinetiQ for letting us know about this one.
PERL Integration A few minor issues getting PERL scripts to work
19 July 2002
Fixed a problem with running the server as a systems service, which was introduced in version 1.0.4.
Security vulnerability - %00
If the requested URL contains a %00 after a directory name, then the server used to generate an index of the files
in the directory. This allowed a hacker to by-pass the default index file.
This security flaw does not allow a hacker to view any files or directories that for which permission has not been granted.
Thank you to Arnaud Jacques from Securite Info for letting us know about this one.
Redirect for directory indexes
If the user requests a directory without specifying a trailing slash the server used to return the directories index file immediately.
This could lead to problems with relative links in the index file.
The server now redirects the browser to the directory name with a trailing slash, to avoid this problem.
Thank you to Dan for letting us know about this one.
Case sensitive user names
The server used to have a problem with matching Realm group members when the user name contained upper-case characters.
All user name matching has now been made case insensitive.
Thank you to Sepp for letting us know about this one.
Restricted file names
The set of permitted characters allowed for directory and files names has been tightened. This may
prevent some of your files from being accessed.
For more details see the on-line FAQ
15 June 2002
System Service. KF Web Server and now be installed as a systems service on Windows NT,2000,XP
Better log files. We now support both the two industry standard log file formats, NCSA and W3C.
Better support for PHP and PERL
More detailed statistics
CGI Environment display
Support for the Opera browser
31 May 2002
First official release
These are some of the features that we are planning:
Non English language versions.
We are looking for more ideas and suggestions. If you have any then please let us have them.