cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Go Chiba <go.ch...@gmail.com>
Subject Re: Shellshock
Date Tue, 30 Sep 2014 15:38:19 GMT
Hi folks,

By my digging, ipcalc included system() function call but debian based our system vm are using
dash as system shell. So I think this shellshock concern are not directly affected to system
vm cgi-bin. right?

GO

from my iPhone

2014/09/30 10:13、Demetrius Tsitrelis <Demetrius.Tsitrelis@citrix.com> のメッセージ:

> http://systemvm-public-ip/cgi-bin/ipcalc is a perl script.
> 
> -----Original Message-----
> From: Sheng Yang [mailto:sheng@yasker.org] 
> Sent: Monday, September 29, 2014 5:21 PM
> To: <dev@cloudstack.apache.org>
> Subject: Re: Shellshock
> 
> http://systemvm-public-ip/cgi-bin/ipcalc is NOT a bash script, so it's normal that it
cannot be exploited.
> 
> --Sheng
> 
>> On Fri, Sep 26, 2014 at 1:57 PM, Demetrius Tsitrelis < Demetrius.Tsitrelis@citrix.com>
wrote:
>> 
>> Do you mean you tried setting the USER_AGENT like in 
>> https://community.qualys.com/blogs/securitylabs/2014/09/25/qualysguard
>> -remote-detection-for-bash-shellshock
>> ?
>> 
>> 
>> -----Original Message-----
>> From: Ian Duffy [mailto:ian@ianduffy.ie]
>> Sent: Friday, September 26, 2014 6:56 AM
>> To: CloudStack Dev
>> Subject: Re: Shellshock
>> 
>> Tried this against the latest system vms built on Jenkins.
>> 
>> Didn't get a successful exploited response. Tested against 
>> http://systemvm
>> - public-ip/cgi-bin/ipcalc
>>> On 25 Sep 2014 16:56, "Abhinandan Prateek" <agneya2001@gmail.com> wrote:
>>> 
>>> 
>>> After heart bleed we are Shell shocked
>>> http://www.bbc.com/news/technology-29361794 !
>>> It may not affect cloudstack directly as it is a vulnerability that 
>>> affects bash, and allows the attacker to take control of the system 
>>> running bash shell.
>>> 
>>> -abhi
>> 

Mime
View raw message