RE: PHP Resource Exhaustion Denial of Service

["Russ Garrett" <rg () tcslon com>]

> PHP's install process on Apache requires a "/php/" alias to be created, as
> it resolves CGI paths to a virtual.  (e.g, /php/php.exe not
> C:\php\php.exe).

I haven't added and haven't had this automatically added to my systems
running (a hastily-upgraded) PHP 4.2.2 as CGI.

> To solve the obvious security vulnerability posed by allowing PHP to run
> from the web, the development team added a cgi.force_redirect
> option that is
> enabled by default in Apache.

Similarly this option is not present in my php.ini file, and going to
http://localhost/php/php on my server produces a 404, not a 3xx redirect.

Is this a PHP 3-only problem? I have had precisely zero experience with
PHP3,
so I wouldn't know.

Russ Garrett
russ () garrett co uk
http://russ.garrett.co.uk