I did a very quick test today using mod_perl running as my own user. Maybe you could try something similar.
I'm running on CentOS where it is vulnerable: $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test In my mod_perl script I added: system( '/bin/bash -c env >> /home/bill/env.bash' ); system( '/bin/env >> /home/bill/env.env' ); I also included a "print STDERR Dumper \%ENV;" in the mod_perl script. I'm using "SetHandler perl-script" to build the CGI environment. Dumping \%ENV I could see all the CGI environment variables in the Apache log, but env.out and env.bash didn't contain any of the CGI environment vars. I also added a header to my request to attempt to use the exploit: $req->header( Referer => '() { :; }; echo oops >> /home/bill/oops.txt' ); And that file didn't show up, either. I'm not quite clear where (or sure that) the environment is getting scrubbed. On Thu, Sep 25, 2014 at 9:59 AM, Sue Spence <virtually...@gmail.com> wrote: > Is your system shell bash? Does your application have any code which shells > out to that (system(), ``, qx() etc)? If so, then probably yes. > > > On 25 September 2014 14:52, gvim <gvi...@gmail.com> wrote: > > > I built a site several years ago with CGI::Application which runs in cgi, > > not psgi mode. Is it likely to be vulnerable to the recent bash security > > hole which I understand revolves around setting ENV variables? > > > > gvim > > > -- Bill Moseley mose...@hank.org