[Cialug] Shellshock Bash Remote Code Execution Vulnerability
Zachary Kotlarek
zach at kotlarek.com
Thu Sep 25 13:47:52 CDT 2014
On Sep 25, 2014, at 11:18 AM, Scott Yates <Scott at yatesframe.com> wrote:
> Jeffrey, it just boggles my mind they would do that, but that does appear
> to be the case. Bad times ahead.
Except mod_cgi doesn’t know what program will receive those headers, so it cannot provide any useful filtering for bash without impeding the legitimate function of other programs. For any program other than bash those are perfectly legitimate environmental variables, and might contain data the program wants or needs.
IMHO real problem — beside bash blindly executing code — is that mod_cgi lets people attach arbitrary programs to the web. It’s useful, but it’s dangerous, as most programs are not designed for such exposure.
Zach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2749 bytes
Desc: not available
URL: <http://cialug.org/pipermail/cialug/attachments/20140925/b69483a5/attachment.bin>
More information about the Cialug
mailing list