Comes down to the basics, not treating data as formally as we do code, and
allowing the data to drive "weird machine" behavior. If Bash had a stricter
parser for it's input, it wouldn't be an issue.
JT
On Fri, Sep 26, 2014 at 11:18 AM, Sashank Dara <krishna.sash...@gmail.com>
wrote:
> hi,
>
> By now , some of you would have heard about the shellshock bug identified
> and making circles.
>
> below is the environment setting command that has a bug.
>
>
>
> *" env x='() { :;}; echo vulnerable' bash -c "echo this is a test"Source :
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
> <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>*
>
> Now from langsec perspective , how do we explain this , anybody ?
>
> Regards,
> Sashank
> http://lnkd.in/88sgfr
>
>
> _______________________________________________
> langsec-discuss mailing list
> langsec-discuss@mail.langsec.org
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
>
>
_______________________________________________
langsec-discuss mailing list
langsec-discuss@mail.langsec.org
https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
