[Cialug] Shellshock Bash Remote Code Execution Vulnerability

Scott Yates Scott at yatesframe.com
Thu Sep 25 14:40:20 CDT 2014


I am saying: It seems like a very bad idea to put arbitrary client supplied
data into environment variables.  Push them to programs via files, or
pipes, or FIFO buffers, but keeping them separated from the system level
environment seems like a better way to handle it.  Even if you have to
write some wrapper code to handle the data exchange.


On Thu, Sep 25, 2014 at 2:32 PM, Zachary Kotlarek <zach at kotlarek.com> wrote:

>
> On Sep 25, 2014, at 11:50 AM, Scott Yates <Scott at yatesframe.com> wrote:
>
> > That seems like an excellent reason to NOT just stuff unknown data into
> > system level environment variables EVAR!
>
>
> I’m unclear on what you’d have mod_cgi do differently that would still
> allow it to easily interface with arbitrary CLI programs.
>
> Or are you just saying “don’t use mod_cgi”?
>
>         Zach
>


More information about the Cialug mailing list