On 09/25/2014 08:48 AM, John Shaver wrote: > Keep in mind, I'm not an expert :) That is just what I understood > from reading the half of the thread posted above. > > There are some exceptions, like web servers setup for cgi scripts, but > I haven't set that up on any of the webservers I've managed. Or any > other public access point that runs a shell and creates environment > variables that could be defined by the user/attacker. And if you run > a service where there are multiple people logging into your server, > like a shared hosting company or such, then this is obviously a major > concern.
So suddenly I'm a bit confused. Certain sites are buzzing with talk about port 80 vulnerabilities being identified all over the web. People have been talking about this being a problem for CGI scripts, since the environment goes through bash. I assume they must be talking about cgi scripts written in bash, right? Because even if apache called system() or some popen with a shell, why would it go through bash instead of say sh? If no default shell is specified for a user (none is specified for apache), would bash still be the default? /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
