Keep in mind, I'm not an expert :) That is just what I understood from reading the half of the thread posted above.
There are some exceptions, like web servers setup for cgi scripts, but I haven't set that up on any of the webservers I've managed. Or any other public access point that runs a shell and creates environment variables that could be defined by the user/attacker. And if you run a service where there are multiple people logging into your server, like a shared hosting company or such, then this is obviously a major concern. On Thu, Sep 25, 2014 at 8:37 AM, Michael Torrie <[email protected]> wrote: > On 09/25/2014 08:31 AM, John Shaver wrote: >> On Thu, Sep 25, 2014 at 8:23 AM, Michael Torrie <[email protected]> wrote: >>> I've run a few tests >>> and I'm unable to get the exploit to work remotely unless I get the >>> login to succeed. Obviously I'm missing something. Can someone help me >>> out here? >> >> I think that's the way it works. I think the attacker has to have a >> login point (their's or one they 'acquired' from someone else), but >> then they can gain elevated privileges. > > Good to know. Thank you! > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
