Ahh…the optimism of days gone by. While gathering citations for a web security timeline I came across this message from Rob McCool regarding the new release of his NCSA httpd project. NCSA httpd was the precursor to Apache.
Also notice the blatant disregard for zero by merely naming the releases “point two” and “point three.” The Modern Web Masses are surely rectifying this through inversion by adding “point oh” to everything, such as the dearly meaningless “web 2.0” moniker. (Since apparently calling something “two” doesn’t use enough syllables.)
From the README:
This is beta release .3
NEW IN RELEASE .3
o Security hole (should be the last) fixed
o Nearly complete drop-in gopher support. See README.GOPHER for details
o Not being able to find the config file does not send back a path
NEW IN RELEASE .2
o Two security holes fixed
o Double slashes in root index fixed
o Not being able to find the error files no longer hangs the server
So, by April 22, 1993 a beta web server was already being poked at by curious hackers looking for holes in a network. As you might guess, this wasn’t the last security hole fixed.
I’ve managed to download version 0.5, but can’t find any mirrors or archives that reach earlier than that. If you manage to find one, let me know. I’d like to expand this post with examples of what early attacks might have looked like.