[Cialug] Shellshock Bash Remote Code Execution Vulnerability

kristau kristau at gmail.com
Fri Sep 26 20:35:27 CDT 2014


Maybe I'm missing something here, but wouldn't properly configured SELINUX
policies prevent an apache/httpd owned cgi from executing /bin/bash?

On Thu, Sep 25, 2014 at 4:10 PM, L. V. Lammert <lvl at omnitec.net> wrote:

> I agree that the bash vulnerability is serious, .. but there seem to be
> some mitigatng factors that are not being observed in all the excitement:
>
> 1) Most modern web code uses a language with it's own environment (Rails,
> PHP, ..). As such, the web page itself has no access to the enviornment.
> We have not supported a cgi application in probably six or seven years!
>
> 2) We NEVER used bash for a cgi application, even when we did - sh was
> always the best tool. KISS.
>
> So, it sounds like most of the scare related to bad programming practices?
> Not that they aren't important either, but nobody mentions reality!
>
>         Lee
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>



-- 
Tired programmer
Coding late into the night
The core dump follows


More information about the Cialug mailing list