> There are two ways I know of to protect against this attack until SGI has a > patch ready. One would be to write a wrapper that removes "dangerous" > environment variables. Obviously, figuring out which ones are dangerous is > the trick! Certainly anything that starts LD_ or _RLD should be removed. But > there may always be others you don't know about. The approach we have taken in our secure Web executable server (still under test) is to only pass variables whose names start with 'W' and remove any non-safe characters from variable assignments. We then pass the environment on to our executables. This also eliminates other sickness related to using the shell for (hah) secure applications (like setting the IFS to K and sending rmK-rfK/ to a script interpreter). The trick here is that variables we don't know about that don't start with 'W' are not passed. I would feel even better if it were omething like World-Wide-Web-Sick-Variable but efficiency is worth something. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236