Hi folks, By my digging, ipcalc included system() function call but debian based our system vm are using dash as system shell. So I think this shellshock concern are not directly affected to system vm cgi-bin. right?
GO from my iPhone 2014/09/30 10:13、Demetrius Tsitrelis <demetrius.tsitre...@citrix.com> のメッセージ: > http://systemvm-public-ip/cgi-bin/ipcalc is a perl script. > > -----Original Message----- > From: Sheng Yang [mailto:sh...@yasker.org] > Sent: Monday, September 29, 2014 5:21 PM > To: <dev@cloudstack.apache.org> > Subject: Re: Shellshock > > http://systemvm-public-ip/cgi-bin/ipcalc is NOT a bash script, so it's normal > that it cannot be exploited. > > --Sheng > >> On Fri, Sep 26, 2014 at 1:57 PM, Demetrius Tsitrelis < >> demetrius.tsitre...@citrix.com> wrote: >> >> Do you mean you tried setting the USER_AGENT like in >> https://community.qualys.com/blogs/securitylabs/2014/09/25/qualysguard >> -remote-detection-for-bash-shellshock >> ? >> >> >> -----Original Message----- >> From: Ian Duffy [mailto:i...@ianduffy.ie] >> Sent: Friday, September 26, 2014 6:56 AM >> To: CloudStack Dev >> Subject: Re: Shellshock >> >> Tried this against the latest system vms built on Jenkins. >> >> Didn't get a successful exploited response. Tested against >> http://systemvm >> - public-ip/cgi-bin/ipcalc >>> On 25 Sep 2014 16:56, "Abhinandan Prateek" <agneya2...@gmail.com> wrote: >>> >>> >>> After heart bleed we are Shell shocked >>> http://www.bbc.com/news/technology-29361794 ! >>> It may not affect cloudstack directly as it is a vulnerability that >>> affects bash, and allows the attacker to take control of the system >>> running bash shell. >>> >>> -abhi >>
