Looks like I posted too fast, I just found another hole in httpd. In http_access.c, function evalute_access: if(S_ISDIR(finfo->st_mode)) strcpy_dir(path,p); else strcpy(path,p); The second strcpy is copying a filename (again, potentially 8192 characters) into a local buffer (256 characters.) Some scary info: {nic} grep strcpy *.c | wc -l 123 {nic} grep sprintf *.c |wc -l 51 There are more holes here, folks. -- Paul Phillips paulp@cerf.net