RE: PHP Resource Exhaustion Denial of Service

From: Russ Garrett (rgat_private)
Date: Mon Jul 22 2002 - 09:27:02 PDT

Next message: Mikael Olsson: "Re: SSH Protocol Trick"

Previous message: Lupe Christoph: "[Admin/Spamassasin] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1"
In reply to: Matthew Murphy: "[Full-Disclosure] PHP Resource Exhaustion Denial of Service"
Next in thread: vjt: "Re: PHP Resource Exhaustion Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> PHP's install process on Apache requires a "/php/" alias to be created, as
> it resolves CGI paths to a virtual.  (e.g, /php/php.exe not
> C:\php\php.exe).

I haven't added and haven't had this automatically added to my systems
running (a hastily-upgraded) PHP 4.2.2 as CGI.

> To solve the obvious security vulnerability posed by allowing PHP to run
> from the web, the development team added a cgi.force_redirect
> option that is
> enabled by default in Apache.

Similarly this option is not present in my php.ini file, and going to
http://localhost/php/php on my server produces a 404, not a 3xx redirect.

Is this a PHP 3-only problem? I have had precisely zero experience with
PHP3,
so I wouldn't know.

Russ Garrett
russat_private
http://russ.garrett.co.uk

Next message: Mikael Olsson: "Re: SSH Protocol Trick"
Previous message: Lupe Christoph: "[Admin/Spamassasin] Re: PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1"
In reply to: Matthew Murphy: "[Full-Disclosure] PHP Resource Exhaustion Denial of Service"
Next in thread: vjt: "Re: PHP Resource Exhaustion Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 23 2002 - 14:00:33 PDT