On 09/25/2014 12:27 PM, Michael Torrie wrote:
On 09/25/2014 12:25 PM, Michael Torrie wrote:
People have been talking about this being a problem for CGI scripts,
since the environment goes through bash. I assume they must be talking
about cgi scripts written in bash, right? Because even if apache called
system() or some popen with a shell, why would it go through bash
instead of say sh? If no default shell is specified for a user (none is
specified for apache), would bash still be the default?
My only excuse is that I'm home ill today. Sigh. Bash provides /bin/sh.
/bin/sh on debian-based systems is usually /bin/dash by default. this
executes the exploit through a call to system().
env x='() { :;}; echo vulnerable' python -c "import os; os.system('echo
this is a test')"
i tested this on an ubuntu 14.04 system that has an unpatched bash and
it did not echo vulnerable. running the same command on something redhat
based resulted in vulnerable being printed to the shell.
that doesn't mean that users of debian-based systems shouldn't take this
seriously. its just that one of the attack vectors isn't valid on those
by default.
mike
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
