On 26 Sep 2014, at 11:48, Andrea Faulds <a...@ajf.me> wrote: > On 26 Sep 2014, at 11:46, marius adrian popa <map...@gmail.com> wrote: > >> Maybe we need an official stance about shellshock > > Do we? As I understand it, this isn’t a PHP-level vulnerability, and I’m not > sure there’s much we can reasonably do about it. Similarly to the Heartbleed > bug, control is not in our hands here.
So I did a little research: 1) On many systems, /bin/sh is a symlink for bash 2) popen() uses /bin/sh 3) PHP uses popen() for its backticks, shell_exec, exec, system, passthru and proc_open functions. To cause the bash issue, you just need an environment variable which is set from user data. This means that almost all PHP CGI apps which use any of the Program Execution Functions are vulnerable, and possibly many non-CGI apps if they do anything which sets the environment variables based on user data. I think it might be worth us putting a statement on the homepage. PHP-level vulnerability it isn’t, but it is a serious one. -- Andrea Faulds http://ajf.me/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
