On 08/28/2010 05:30 AM, Stephen Harris wrote: > In general it's not just PHP; it could be perl, script.. anything > eg this extremely bad and broken CGI program: That's true, but /proc/environ isn't in a format that's valid for most languages. If a PHP script can be made to include /proc/environ, code can be injected by the caller. For instance, their Agent string could include PHP code which would end up executed. Other languages may not be as prone to that specific issue.