[Cialug] Shellshock Bash Remote Code Execution Vulnerability

Will staticphantom at gmail.com
Thu Sep 25 15:28:50 CDT 2014


Little PERL that popped up on IRC.

http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/

On Thu, Sep 25, 2014 at 3:40 PM, Scott Yates <Scott at yatesframe.com> wrote:

> I am saying: It seems like a very bad idea to put arbitrary client supplied
> data into environment variables.  Push them to programs via files, or
> pipes, or FIFO buffers, but keeping them separated from the system level
> environment seems like a better way to handle it.  Even if you have to
> write some wrapper code to handle the data exchange.
>
>
> On Thu, Sep 25, 2014 at 2:32 PM, Zachary Kotlarek <zach at kotlarek.com>
> wrote:
>
> >
> > On Sep 25, 2014, at 11:50 AM, Scott Yates <Scott at yatesframe.com> wrote:
> >
> > > That seems like an excellent reason to NOT just stuff unknown data into
> > > system level environment variables EVAR!
> >
> >
> > I’m unclear on what you’d have mod_cgi do differently that would still
> > allow it to easily interface with arbitrary CLI programs.
> >
> > Or are you just saying “don’t use mod_cgi”?
> >
> >         Zach
> >
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>


More information about the Cialug mailing list