[Cialug] Shellshock Bash Remote Code Execution Vulnerability

Will staticphantom at gmail.com
Thu Sep 25 15:37:51 CDT 2014


Ok, this was pretty awesome and shows how widespread the bug is, my last
post on this thread.
http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html#.VCR8sfldVD1

Read the updates, that is where it gets very interesting.

On Thu, Sep 25, 2014 at 4:28 PM, Will <staticphantom at gmail.com> wrote:

> Little PERL that popped up on IRC.
>
>
> http://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
>
> On Thu, Sep 25, 2014 at 3:40 PM, Scott Yates <Scott at yatesframe.com> wrote:
>
>> I am saying: It seems like a very bad idea to put arbitrary client
>> supplied
>> data into environment variables.  Push them to programs via files, or
>> pipes, or FIFO buffers, but keeping them separated from the system level
>> environment seems like a better way to handle it.  Even if you have to
>> write some wrapper code to handle the data exchange.
>>
>>
>> On Thu, Sep 25, 2014 at 2:32 PM, Zachary Kotlarek <zach at kotlarek.com>
>> wrote:
>>
>> >
>> > On Sep 25, 2014, at 11:50 AM, Scott Yates <Scott at yatesframe.com> wrote:
>> >
>> > > That seems like an excellent reason to NOT just stuff unknown data
>> into
>> > > system level environment variables EVAR!
>> >
>> >
>> > I’m unclear on what you’d have mod_cgi do differently that would still
>> > allow it to easily interface with arbitrary CLI programs.
>> >
>> > Or are you just saying “don’t use mod_cgi”?
>> >
>> >         Zach
>> >
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
>>
>
>


More information about the Cialug mailing list