1. New User Interface
   The user interface has been given a more modern looking theme.

KeyFocus issued a patch for a cross site scripting issue that has recently been identified in the KF Web Server admin script.

We consider this issue to be of minor severity as it does not affect web sites hosted by the web server.

The problem is not in the web server itself but in the admin script hosted by the server. In order to access this script the attacker would need to be logged onto the server locally and have the admin password. With that level of access they would already have complete control of the web server configuration, in effect root access, so there would be no need to use this technique.

We do take this issue and all security issues seriously and have issued a patch which can be obtained from the download page.

1. Faster CGI Performance
   The way the server interacts with CGI applications such as PHP and Perl has be re-written to make it much faster. This is most noticable when the CGI pages are large or when CGI is used to download big files.

1. User Interface Improvements
   A link to the hosted website has been added to each website in the status menu, allowing the web site to be viewed by a single click.
   
2. Additional Path Info
   We have added support for additional virtual directories in the URL as described in the CGI standard. Many scripts use this facility to pass parameters to the script without the need for a query. This has the benefit of providing permalinks.

   Example:
   http:://www.mydomain.com/post.html/2005/02/
   will call the script /post.html and pass /2005/02/ in the PATH_INFO envorinment variable.

   This feature is only available for files types set up with a CGI filter map.
   It is turned off by default as it has a slight impact on performance and can lead to confusion if not required.
   To enable it go to the Server -> General menu.
   
3. URL Re-write Rules
   URL Rewrite Rules are a powerful feature that allows you to manipulate the URL received by the web server into a different form.

   Rewrite Rules can do everything an alias can do and more, but they are complex to set up.

   They work by searching the URL for a specified pattern and then replacing it with the substitution text. The pattern is a perl compatible regular expression.

   The substitution can include 'back-references', which refer to the sub-patterns in the pattern. This allows very sophisticated substitutions to be made.

1. Large CGI post
   A problem that limited the maximum size of data that could be posted to a CGI page has been removed.

1. Internal enhacements
   Serveral changes have been made to the server internals to make it faster and more reliable.
2. Change to log format
   The W3C logfile output has been changed to make it more compatible with the analog log file analyser.

1. CGI Clear Browser Cache
   If this is checked then CGI pages will contain a no-cache header added to returned page.
   This ensures a users browser does not store the page for even short perions of time.
   Use this option if you have a dynamic web site with constantly changing pages.
   To access this option go to the Web Sites -> Cache sub-menu.

1. CGI Cache
   Now works with pages containing queries.
2. Monitor pop up menu
   The pop up menu now always appears in the correct place.

1. Admin Interface Released As Open Source
   KeyFocus has released the source code for the Admin Interface to enable you to make custom modifications and translate it into other languages.
   The Admin Interface has been released under the Mozilla Public License.
   The rest of KF Web Server is not subject to this license and the source code will not be released.
   Included in this distribution you will find the source code to the admin interface, system scripts and the supporting image, html and javascript files.
   
2. Internet Explorer Error Messages
   When an error message is returned from a web server Microsoft Internet Explorer sometimes decides to display its own error page instead of the error page returned by the server. This was the case with the "404 Not Found" error page returned by KF Web Server. This is a non standard and undocumented Microsoft feature.
   KF Web Server now returns an error page that Microsoft Internet Explorer will always display.
   If you are using a "custom error script", then you will have to update it or replace it with the contents of the file "servererror.wkf.new", that is installed as part of this release.
   Thanks to Hugo Gonz�lez for suggesting a solution to this issue.

1. Range Requests Problem
   A flaw in the way the server handled certain types of range request has been corrected.
   This affected certain special download acceleration tools.
   Thanks to Jose for bringing this to our attention.
2. Server Running Time
   The server running time displayed in the status page of the administration interface could be wrong, depending on the time zone.
   Thanks to all the users who pointed this out.

1. Log Time always in GMT
   A bug was introduced in version 2.0.0 that caused the server to always use Greenwich Mean Time for log entries even when not specified in the configuration. This has now been fixed.
   Thanks to Gary Raymond for spotting this one.

1. Rotating Log Files
   In previous versions all request to a web site were written to a single log file. This means the log file would keep growing. It is now possible to rotate the log files each day, week or month. This makes managing and archiving old log files a lot easier. When a new log file is created the date is added to its name.
2. CGI Executable Direct Execution
   Certain CGI EXE programs are designed to be run directly from a HTML link. Previously these types of application were not allowed in KFWS for security reasons. It is now possible for them to be executed.
3. Host Wild Card
   It is now possible to add a wild card to a domain name so that a web site can be matched against a number of similar domain names. A new field called "Server Match Name" has been added to the Advanced screen for each web site.
4. CGI Cache
   KF Web Server can now cache output from CGI applications. This can lead to a dramatic increase in performance for sites that have a large number of users.
5. Support for large files
   In previous versions a file was loaded completely into memory, before being sent to a client. A site hosting large files, e.g. 100+ mb, would experience a performance hit as the web server used a lot of the available system memory. This version handles large files in small chunks, without the need for a large amount of memory.
6. Sin Bin
   The Sin Bin is a mechanism to restrict clients that make excessive demands on the web server, by slowing down responses to their requests, or even excluding them from the server altogether.
7. Disable Range Requests
   Range requests are used by download utilities to download different parts of a large file simultaneously. Turning off this option will prevent such utilities from working, but not prevent a normal browser from downloading a file.

1. Monitor Busy Indicator
   The Monitor Busy Indicator now works when KFWS is installed as a systems service on Windows XP.
2. Bad URL Security Problem
   A flaw in the way the server handled certain invalid URL paths has been corrected.
   Thanks to Matt Murphy for bringing this to our attention.

1. Monitor Busy Indicator
   The system tray monitor now flashes for one minute after the server has served a request. This provides a visible warning that your server is being accessed.
2. Default Mime Type
   Adding the extension '*' to a mime type makes it the default mime type. All files that do not have a recognized extension will be assumed to be the default mime type.
3. Duplicate Extensions
   The Admin interface now checks to see if a file extension has been listed with more than one mime type, a common error.
4. Directory Index Sort Order
   It is now possible to sort the directory index by name, extension, date and size

1. Log headers
   W3C log headers are now always added to the initial log files.
2. ActiveHTML Integration
   Improved integration with this ASP platform

1. Security vulnerability - malformed header
   A security vulnerability exists in all previous versions where a hacker using a special malformed http header could cause a buffer over-flow. This is fixed in this version.
   The following event is written to the system log, "Request Error: Invalid header", if someone attempts to attack the server in this way.
   Thank you to Paul Beechey of QinetiQ for letting us know about this one.
2. PERL Integration
   A few minor issues getting PERL scripts to work

1. Fixed a problem with running the server as a systems service, which was introduced in version 1.0.4.

1. Compressed HTTP support
   Boost your performance by up to three times.
2. Custom error messages
   Option to control how server errors appear using a custom script.
3. Less Secure File Names
   Option to accept special characters in file names.
4. IP to Host Name translation
   Option to perform a reverse DNS look up on a clients IP address in the log file.
5. Better error reporting for CGI problems
   Helps take the guess work out of fixing integration issues.

1. Occasional crash when restarting server fixed.

1. Security vulnerability - %00
   If the requested URL contains a %00 after a directory name, then the server used to generate an index of the files in the directory. This allowed a hacker to by-pass the default index file. This security flaw does not allow a hacker to view any files or directories that for which permission has not been granted.
   Thank you to Arnaud Jacques from Securite Info for letting us know about this one.
2. Redirect for directory indexes
   If the user requests a directory without specifying a trailing slash the server used to return the directories index file immediately. This could lead to problems with relative links in the index file. The server now redirects the browser to the directory name with a trailing slash, to avoid this problem.
   Thank you to Dan for letting us know about this one.
3. Case sensitive user names
   The server used to have a problem with matching Realm group members when the user name contained upper-case characters. All user name matching has now been made case insensitive.
   Thank you to Sepp for letting us know about this one.

1. Restricted file names
   The set of permitted characters allowed for directory and files names has been tightened. This may prevent some of your files from being accessed. For more details see the on-line FAQ

1. System Service. KF Web Server and now be installed as a systems service on Windows NT,2000,XP
2. Better log files. We now support both the two industry standard log file formats, NCSA and W3C.
3. Better support for PHP and PERL
4. More detailed statistics
5. CGI Environment display
6. Support for the Opera browser