http://www.milw0rm.com/exploits/3118 Half of this is bogus. In i-index.php the $chemin parameter is clearly defined. However in the i-accueil.php script this appears legit. In i-index.php: Line 12: $chemin = "." ; -- Rob Keith Symantec