httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 57580] Perl code in "User-Agent" field is being executed and causing an exploit
Date Fri, 13 Feb 2015 03:27:34 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=57580

D. Stussy <software+httpd@kd6lvw.ampr.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |---

--- Comment #2 from D. Stussy <software+httpd@kd6lvw.ampr.org> ---
Maybe so, but regardless of the fix in BASH, the Apache HTTPD server should
still not be passing the value to a(ny) command interpreter - and THAT is a bug
in this software.

Relying on a patch in software under different authorship is akin to "security
via obscurity" -- it is NOT a fix.  The HTTPD server is cooperating with
another program to cause the exploit, which means that BOTH programs should be
fixed, even if fixing the other by itself closes the exploit.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message