[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
update
On Sep 24, 2014 6:39 PM, "Michael Thomas" <mike at mtcc.com> wrote:
>
>
> On 9/24/14, 3:27 PM, Jim Popovitch wrote:
>>
>> On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkrieg at gmail.com>
wrote:
>>>
>>> The scope of the issue isn't limited to SSH, that's just a popular
>>> example people are using. Any program calling bash could potentially
>>> be vulnerable.
>>
>> Agreed. My point was that bash is not all that popular on
>> debian/ubuntu for accounts that would be running public facing
>> services that would be processing user defined input (www-data,
>> cgi-bin, list, irc, lp, mail, etc). Sure some non-privileged user
>> could host their own cgi script on >:1024, but that's not really a
>> critical "stop the presses!!" upgrade issue, imho.
>>
>>
>
> This is already made it to /. so I'm not sure why Randy was being so hush
hush...
>
> But my read is that this could affect anything that calls bash to do
processing, like
> handing off to CGI by putting in headers to p0wn the box. Also: bash is
incredibly
> pervasive though any unix disto, in not at all obvious places, so I
wouldn't be
> complacent about this at all.
>
> Mike
If someone is already invoking #!/bin/bash from a cgi, then they are
already doing it wrong (bash has massive bloat/overhead for a CGI script).
But I do agree, it's hard to know exactly what idiots do. :-)
-Jim P.
- Follow-Ups:
- update
- From: ahebert at pubnix.net (Alain Hebert)
- update
- From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu)
- References:
- update
- From: randy at psg.com (Randy Bush)
- update
- From: jimpop at gmail.com (Jim Popovitch)
- update
- From: redkrieg at gmail.com (Brandon Whaley)
- update
- From: jimpop at gmail.com (Jim Popovitch)
- update
- From: mike at mtcc.com (Michael Thomas)