httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Effenberger <>
Subject [users@httpd] PHP as CGI: Denial of Service?
Date Wed, 29 Sep 2004 07:39:24 GMT
Hello there,

PHP set up as CGI (either with binfmt and suEXEC or via suPHP) can
expose your system to a denial of service attack. Even a very simple
page like

<? echo "Hello world"; ?>

can bog down a server completely if the reload button on the browser is
pressed continously for some seconds. I already tried the RMax
directives in httpd.conf and the memory limit in php.ini, but it does
not seem to work, it is just being ignored. I think that so many
processes are spawned that the system is out of control. I can get my
load as high as 91 and my disk swaps for nearly 30 minutes until it
works again. Sometimes even the kernel crashed with out of memory errors.

Apart from trying out cgiwrap, I am completely helpless right now.

Does anyone have an idea on what to do? I can't be possible that every
PHP suEXEC install is a big security risk. Any tips are welcome!

I experienced this problem with Apache 1.3 and 2.0.

Thanks in advance,

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message