On Sep 24, 2014 7:00 PM, <valdis.kletni...@vt.edu> wrote:
>
> On Wed, 24 Sep 2014 18:50:05 -0400, Jim Popovitch said:
>
> > If someone is already invoking #!/bin/bash from a cgi, then they are
> > already doing it wrong (bash has massive bloat/overhead for a CGI
script).
>
> You sure you don't have *any* cgi's that do something like
> system("mail -s 'cgi program xxyz hit fatal error' webadmin@localhost");
> because all it takes is finding a way to force the fatal error while you
> send a crafted User-Agent: header....That won't automatically invoke bash on Debian/Ubuntu....unless someone intentionally changed default shells.... -Jim P.
