PHP as CGI: Denial of Service?

To: debian-user@lists.debian.org
Subject: PHP as CGI: Denial of Service?
From: Florian Effenberger <floeff@arcor.de>
Date: Tue, 28 Sep 2004 20:38:03 +0200
Message-id: <[🔎] 4159AF8B.4030305@arcor.de>

Hello there,

PHP set up as CGI (either with binfmt and suEXEC or via suPHP) canexpose your system to a denial of service attack. Even a very simplepage like


<? echo "Hello world"; ?>

can bog down a server completely if the reload button on the browser ispressed continously for some seconds. I already tried the RMaxdirectives in httpd.conf and the memory limit in php.ini, but it doesnot seem to work, it is just being ignored. I think that so manyprocesses are spawned that the system is out of control. I can get myload as high as 91 and my disk swaps for nearly 30 minutes until itworks again. Sometimes even the kernel crashed with out of memory errors.


Apart from trying out cgiwrap, I am completely helpless right now.

Does anyone have an idea on what to do? I can't be possible that everyPHP suEXEC install is a big security risk. Any tips are welcome!


I experienced this problem with Apache 1.3 and 2.0.

Thanks in advance,
Florian

Reply to:

Prev by Date: Re: Debian java howto for sarge?
Next by Date: Re: mii-tool eth0 wierdness
Previous by thread: Re: LaTeX with Emacs
Next by thread: Mirror with some errors..
Index(es):
- Date
- Thread