On Fri, Sep 26, 2014 at 10:36 AM, Chris Hellyar <[email protected]> wrote:
> The current published/known exploit/vector from this is via apache, with > cgi enabled and a cgi script using bash as it's interpreter. > Or any execution environment (mod_perl, PHP, etc) that runs code that uses "the shell" to run a command, e.g. `cmd` or system(cmd) - if /bin/sh points to /bin/bash you are potentially vulnerable, or if the code explicitly runs bash. Debian doesn't do this, they point the default shell to dash instead. RedHat does point to bash, and you can't trivially change it. Beware of rogue DHCP responses on your local networks, too - most Linux runs "the shell" as part of dhclient. https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/ I don't yet know of Android or iOS are vulnerable to DHCP shellshock. -jim
_______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
