> What part of the CGI spec or code takes CGI parameters and stores them > in system ENV, before perl is even invoked? Sorry I'm thinking of a PHP "feature". My excuse is that I didn't get enough sleep last night. Still probably many ways to exploit it. Especially if your perl is called from php.