> While this plugs the current hole, I have a feeling that allowing > users to use their own config file is a bad idea because it keeps open > a class of possible attack vector. I would suggest to accept config > files provided by the configdir parameter only if the config is owned > by the same user that is running the CGI script.
I don't like that, because normally the config file should not be writable by the web server. Another solution would be to simply disable the configdir parameter. Charles -- Late risers! Shave in just 2 minutes flat Kiss your wife Grab your hat Burma-Shave http://burma-shave.org/jingles/1933/late_risers
signature.asc
Description: Digital signature
