[Cialug] Shellshock Bash Remote Code Execution Vulnerability

David Champion dchamp1337 at gmail.com
Thu Sep 25 13:50:45 CDT 2014


Yeah, that's why I cringe whenever I see cgi-bin.

-dc

On Thu, Sep 25, 2014 at 1:47 PM, Zachary Kotlarek <zach at kotlarek.com> wrote:

>
> On Sep 25, 2014, at 11:18 AM, Scott Yates <Scott at yatesframe.com> wrote:
>
> > Jeffrey, it just boggles my mind they would do that, but that does appear
> > to be the case.  Bad times ahead.
>
>
> Except mod_cgi doesn’t know what program will receive those headers, so it
> cannot provide any useful filtering for bash without impeding the
> legitimate function of other programs. For any program other than bash
> those are perfectly legitimate environmental variables, and might contain
> data the program wants or needs.
>
> IMHO real problem — beside bash blindly executing code — is that mod_cgi
> lets people attach arbitrary programs to the web. It’s useful, but it’s
> dangerous, as most programs are not designed for such exposure.
>
>         Zach
>
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
>


More information about the Cialug mailing list