But we can do a *lot* to help avoid misconfigurations.
This particular misconfiguration is so rare that we're pushing an awful lot of effort onto the user - regardless of automation (as *knowing* where files are is half the battle) - for something they'll probably never encounter in their life, unlike say, XSS.
oh, and we are not entirely apache-only, are we?
I deliberately didn't mention Apache in my own post because it's a NULL issue: the *frequency* with which it takes to *screw up a server SO BAD* such that a DocRoot is misplaced or PHP is broken, is common equally enough on Apache, LigHTTPD, Zeus, Covalent, IIS, or any other server. It happens *so infrequently* that the software used, or the method in which it is screwed up, doesn't make a damn bit of difference. -- Morbus Iff ( you are nothing without your robot car, NOTHING! ) Culture: http://www.disobey.com/ and http://www.gamegrene.com/ O'Reilly Author, Weblog, Cook: http://www.oreillynet.com/pub/au/779 icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus