[26258] in bugtraq
RE: PHP Resource Exhaustion Denial of Service
daemon@ATHENA.MIT.EDU (Russ Garrett)
Mon Jul 22 23:41:23 2002
From: "Russ Garrett" <rg@tcslon.com>
To: "Bugtraq" <bugtraq@securityfocus.com>
Date: Mon, 22 Jul 2002 17:27:02 +0100
Message-ID: <NDBBLDHKLKMANPGMACIGKEAKDAAA.rg@tcslon.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-Reply-To: <000801c23058$442dc220$e62d1c41@kc.rr.com>
> PHP's install process on Apache requires a "/php/" alias to be created, as
> it resolves CGI paths to a virtual. (e.g, /php/php.exe not
> C:\php\php.exe).
I haven't added and haven't had this automatically added to my systems
running (a hastily-upgraded) PHP 4.2.2 as CGI.
> To solve the obvious security vulnerability posed by allowing PHP to run
> from the web, the development team added a cgi.force_redirect
> option that is
> enabled by default in Apache.
Similarly this option is not present in my php.ini file, and going to
http://localhost/php/php on my server produces a 404, not a 3xx redirect.
Is this a PHP 3-only problem? I have had precisely zero experience with
PHP3,
so I wouldn't know.
Russ Garrett
russ@garrett.co.uk
http://russ.garrett.co.uk
