Given the (im)proper permissions, anything is possible. ;-)

Yes....

but how with permission you can not allow a program to reboot system?!or halt cpu?

thx

Only execute programs you have written and/or tested.

Don't ever, ever, execute as code anything that a user has typed into a text field on a browser. You just don't know what they are trying to slip past you.

And (slightly off the topic) don't ever, ever, redisplay anything a user has typed in without first converting any "<" and ">" to named entities ("&lt;" and "&gt;"). That way you won't be sending possibly malicious javascript back to be executed on their browser.

That applies doubly to anything they've typed in that you display to other users (such as this post, which may be read by dozens of WebmasterWorldians).

Remember, the server is your box. It should only run stuff you put into that box.

but how with permission you can not allow a program to reboot system?!or halt cpu?

Only programs that are running as root or Administrator will be able to halt or reboot. And if the server is configured correctly, it'll be executing the cgi's under a "safe" account.

Even so, you're right, CGI is what makes malicious server-side code possible. So to avoid problems, the whole server has to be quite secure.