Hi Linicks,

OK, using 'eval' and the like is equivalent to giving shell access, but surely it will only be as the UID/Group I run apache under?

Yes, that's correct, and the server process is often run under the nobody user or equivalent for that reason. But do you know for sure that the server has been configured properly security-wise on the *NIX level? And why let someone even get that far? It's kind of like buying a safe but leaving a back window to your house open and hoping nobody notices. The question is why not lock all the windows and doors too?

As to web crawlers, how can a crawler 'slurp' a page that isn't advertised anywhere?

Essentially every public IP address is probed at one point or another, I've got a few machines with public IPs and can attest to that. If you've got an Apache name-based virtual host, then AFAIK it does become more difficult, but then again I was just naming one example. Another example: can you guarantee that every computer you use to access this page is secure?

Continuing the shell analogy: An HTML form + eval without a password is the same as setting up an SSH user with no password, and then hoping that no one happens to probe that particular IP + port + username combination. However unlikely it may be, once they do find it, they have access - so why not just throw a password on there?

Regards,
-- Hauke D