Right you are. I overlooked that.
However calling it correctly still gives the same
sh-3.2$ env x='() { :;}; echo vulnerable' /bin/sh -c "echo this is a test"
vulnerable
this is a test
However, as Douglas stated earlier, its limited to bash and sh in OSX the
others seem to be ok.
sh-3.2$ env x='() { :;}; echo vulnerable' /bin/csh -c "echo this is a test"
this is a test
On 26 Sep 2014, at 2:25 pm, Peter Ross
<[email protected]<mailto:[email protected]>> wrote:
From: "Joh Lindley"
<[email protected]<mailto:[email protected]>>
Is Apple's sh a bash? I thought they are using FreeBSD's userland
(FreeBSD's sh is not affected [at least the tests are negative and
there
is no SA])
It would appear so.
sh-3.2$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
You are calling the bash [not /bin/sh] here.
It shows that you have a bash installed.
Regards
Peter
_______________________________________________
luv-main mailing list
[email protected]<mailto:[email protected]>
http://lists.luv.asn.au/listinfo/luv-main
_______________________________________________
luv-main mailing list
[email protected]
http://lists.luv.asn.au/listinfo/luv-main
