On Fri, 2014-09-26 at 17:40 +1200, Chris Hellyar wrote:
> (Sorry long post. :-)
>
> Hmmm,
>
> You're not wrong, but polluting the environment before the webserver
> starts or after it's running is a different proposition from injecting
> into the environment in a single pass with predictable results. What
> makes the cgi vs shellshock exploit viable is that that cgi module
> sets a chunk of the environment from the get/post request.
>
> A quick reasoning:
>
> php code, run on debian/apache/php, called from my desktop with
> chrome:
> <? system("bash -c set"); ?>
>
[snip]
So following on from my earlier comment that the only people I expect to
see using CGI are developers with aspirations, how does this work with
apache and
- fastcgi
- SuPHP
modes, both of which ( ignoring the unbelievable performance hit of the
latter ) will be far more common, and what difference does the
population of disable_functions in php.ini make ( and short_open_tag
lol )?
Sorry to ask, no apache close by.
Steve
>
--
Steve Holdoway BSc(Hons) MIITP
http://www.greengecko.co.nz
Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa
_______________________________________________
Linux-users mailing list
[email protected]
http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
