cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sheng Yang <sh...@yasker.org>
Subject Re: Shellshock
Date Tue, 30 Sep 2014 21:47:02 GMT
The parameters of system() function have been verified as valid IP/netmask
format by script, so I don't think other parameters would be able to slip
in in this case.

--Sheng

On Tue, Sep 30, 2014 at 8:38 AM, Go Chiba <go.chiba@gmail.com> wrote:

> Hi folks,
>
> By my digging, ipcalc included system() function call but debian based our
> system vm are using dash as system shell. So I think this shellshock
> concern are not directly affected to system vm cgi-bin. right?
>
> GO
>
> from my iPhone
>
> 2014/09/30 10:13、Demetrius Tsitrelis <Demetrius.Tsitrelis@citrix.com>
> のメッセージ:
>
> > http://systemvm-public-ip/cgi-bin/ipcalc is a perl script.
> >
> > -----Original Message-----
> > From: Sheng Yang [mailto:sheng@yasker.org]
> > Sent: Monday, September 29, 2014 5:21 PM
> > To: <dev@cloudstack.apache.org>
> > Subject: Re: Shellshock
> >
> > http://systemvm-public-ip/cgi-bin/ipcalc is NOT a bash script, so it's
> normal that it cannot be exploited.
> >
> > --Sheng
> >
> >> On Fri, Sep 26, 2014 at 1:57 PM, Demetrius Tsitrelis <
> Demetrius.Tsitrelis@citrix.com> wrote:
> >>
> >> Do you mean you tried setting the USER_AGENT like in
> >> https://community.qualys.com/blogs/securitylabs/2014/09/25/qualysguard
> >> -remote-detection-for-bash-shellshock
> >> ?
> >>
> >>
> >> -----Original Message-----
> >> From: Ian Duffy [mailto:ian@ianduffy.ie]
> >> Sent: Friday, September 26, 2014 6:56 AM
> >> To: CloudStack Dev
> >> Subject: Re: Shellshock
> >>
> >> Tried this against the latest system vms built on Jenkins.
> >>
> >> Didn't get a successful exploited response. Tested against
> >> http://systemvm
> >> - public-ip/cgi-bin/ipcalc
> >>> On 25 Sep 2014 16:56, "Abhinandan Prateek" <agneya2001@gmail.com>
> wrote:
> >>>
> >>>
> >>> After heart bleed we are Shell shocked
> >>> http://www.bbc.com/news/technology-29361794 !
> >>> It may not affect cloudstack directly as it is a vulnerability that
> >>> affects bash, and allows the attacker to take control of the system
> >>> running bash shell.
> >>>
> >>> -abhi
> >>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message