[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
update
On Wed, 24 Sep 2014 18:50:05 -0400, Jim Popovitch said:
> If someone is already invoking #!/bin/bash from a cgi, then they are
> already doing it wrong (bash has massive bloat/overhead for a CGI script).
You sure you don't have *any* cgi's that do something like
system("mail -s 'cgi program xxyz hit fatal error' webadmin at localhost");
because all it takes is finding a way to force the fatal error while you
send a crafted User-Agent: header....
As Jim Popovitch said, bash usage is incredibly pervasive....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140924/b94b974e/attachment.pgp>
- Follow-Ups:
- update
- From: jimpop at gmail.com (Jim Popovitch)
- References:
- update
- From: randy at psg.com (Randy Bush)
- update
- From: jimpop at gmail.com (Jim Popovitch)
- update
- From: redkrieg at gmail.com (Brandon Whaley)
- update
- From: jimpop at gmail.com (Jim Popovitch)
- update
- From: mike at mtcc.com (Michael Thomas)
- update
- From: jimpop at gmail.com (Jim Popovitch)