People have sent email ranging from "you bastard" to "when will you fix the 'bug'" to "how do I patch this hole".

So, I am going to spell things out once again in hopes that people will leave me an CERT alone. :)

Well, not exactly!

For 99% of guestbook users, there should be no concern about a security hole. The hole only occurs for users who:

• Use SSI (Server Side Include) technology on their website
• Have enabled SSI in the directory containing the guestbook.html file
• Have enabled the use of HTML tags in the setup file
• Have not included keywords like "exec" in their @bad_words list in the setup file.

• Your server is running as root (NOBODY SHOULD EVER DO THIS ANYWAYS)
• Your server is not running as root, but you have not carefully set the permissions on the files in your web tree.

HOWEVER

Just to be safe, the setup file includes two variables which can be used to disable SSI whether or not you have it enabled. These are: $allow_html and @bad_words.

If you are concerned about security, turn off the use of HTML in your guestbook with the line

$allow_html = "no";

This will disable the use of the comment tag which is used to denote SSI commands. Or, add SSI keywords like "exec" to the @bad_words array using the syntax:

@bad_words = ("exec");

Without the "exec" command users will not be able to execute server functions. At any rate, I recommend the follwong things:

• Do not use SSI unless you really know what you are doing
• Do not run your web server as root.
• When you are done editing HTML or CGI files, set permissions to not be writable by anyone.
• Back up everything!
• Keep in mind that every piece of software can be hacked. You are never safe, but by learning more, you can better your chances.