On Sep 24, 2014 6:39 PM, "Michael Thomas" <m...@mtcc.com> wrote: > > > On 9/24/14, 3:27 PM, Jim Popovitch wrote: >> >> On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkr...@gmail.com> wrote: >>> >>> The scope of the issue isn't limited to SSH, that's just a popular >>> example people are using. Any program calling bash could potentially >>> be vulnerable. >> >> Agreed. My point was that bash is not all that popular on >> debian/ubuntu for accounts that would be running public facing >> services that would be processing user defined input (www-data, >> cgi-bin, list, irc, lp, mail, etc). Sure some non-privileged user >> could host their own cgi script on >:1024, but that's not really a >> critical "stop the presses!!" upgrade issue, imho. >> >> > > This is already made it to /. so I'm not sure why Randy was being so hush hush... > > But my read is that this could affect anything that calls bash to do processing, like > handing off to CGI by putting in headers to p0wn the box. Also: bash is incredibly > pervasive though any unix disto, in not at all obvious places, so I wouldn't be > complacent about this at all. > > Mike
If someone is already invoking #!/bin/bash from a cgi, then they are already doing it wrong (bash has massive bloat/overhead for a CGI script). But I do agree, it's hard to know exactly what idiots do. :-) -Jim P.
