Following CERT's first suggestion on the NCSA httpd 1.3 crashed my WWW server! The added 7936 bytes to MAX_STRING_LEN (in 154 instances) made each running httpd process about 100K larger and brought the server (which runs close to swapping anyway at busy times) crashing to its knees. NCSA says that the util.c patch is enough to cover the vulnerability. (their details are at http://hoohoo.ncsa.uiuc.edu/docs/patch_desc.htm) The top of that page reads: A vulnerability was recently discovered in the NCSA httpd. A program which will break into an HP system running the precompiled httpd has been published, along with step by step instructions. Three cheers for full disclosure.. it gets results. kevin -- kevintx@paranoia.com | "Ask me no questions, I'll tell you no lies." (System Administrator) | Paranoia offers low cost accounts to those in need. Finger for PGP 2.3 Key | <a href="http://www.paranoia.com/">The Server</a>