Re: [PHP] Apache/PHP URL problem

Sun, 09 Sep 2001 17:08:28 -0700 

This is standard PATH_INFO behaviour.  I don't really see a DoS issue
here.  Use piped logs or something and teach your logging system not to
log these if you have an issue with it.  DoS from filling log files isn't
something we can do much about.

-Rasmus

> Just noticed a strange problem with one of my business servers.  It's
> configured identically (afaik) to all of my other servers (which do not
> exhibit this behavior), with Apache 1.3.20 and PHP 4.0.6, running on Linux
> Mandrake 7.2.
>
> The problem occurs only when requesting PHP documents.  Say, for example, I
> have a PHP script at: http://www.example.com/myphpscript.php
>
> For some reason, I can also access this page via:
> http://www.example.com/myphpscript
>
> On top of that, I seem to be able to pass a whole bogus path afterwards:
> http://www.example.com/myphpscript/blah/blah/blah/and/so/on/etc/
>
> ...and the page (myphpscript.php) is still displayed properly.
>
> It's not really a big deal, but I had some prick with too much time on his
> hands taking advantage of this, filling my logfiles with thousands of
> requests for ~300-character URLs.
>
> This ONLY happens with files with the .php extension (not .html files) so
> I'm not sure if it's a problem with my Apache config, my PHP config, or
> what... Anyone have any clues?  I've been through both the Apache and PHP
> docs a few times over, but can't seem to find anything relevant.
>
> Compiled Apache with:
> --prefix=/usr/local/apache --enable-module=ssl --enable-module=so --enable-m
> odule=log_agent --enable-module=log_referer --enable-module=proxy --enable-m
> odule=rewrite --enable-module=speling --enable-module=usertrack --enable-mod
> ule=vhost_alias
>
> And PHP with:
> --with-apxs=/usr/local/apache/bin/apxs --enable-versioning --with-mysql=/usr
> /local/mysql --enable-track-vars
>
> Any help would be appreciated!
>
> Helmut
>
>
>
>
>
>


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to