"Apache httpd 2.0.59 and 2.2.4, with the Prefork MPM module, allows local users
to cause a denial of service via certain code sequences executed in a worker
process that (1) stop request processing by killing all worker processes and
preventing creation of replacements or (2) hang the system by forcing the master
process to fork an arbitrarily large number of worker processes. NOTE: This
might be an inherent design limitation of Apache with respect to worker
processes in hosted environments."
In the security model used by Apache httpd, the less-privileged child processes
(running as the "apache" user) completely handle the servicing of new
connections. Any local user who is able to run arbitrary code in those children
is therefore able to prevent new requests from being serviced, by design. Such
users will also be able to "simulate" server load and force the parent to create
children up to the configured limits, by design.
A server with untrusted local users must be configured to use a solution like
"suexec" if it's required to allow the users to execute CGI (etc) scripts.