httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <p...@querna.org>
Subject Bash CVE-2014-6271 and CGI / HTTPD
Date Wed, 24 Sep 2014 17:48:25 GMT
http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

https://news.ycombinator.com/item?id=8361574

I've seen a few mentions of CGI being vulnerable to attacks from this
issue.  An example from the HN threads:

    GET / HTTP/1.0
    User-Agent: () { :; }; rm -rf /

Assuming a CGI bash script of course --  but maybe vulnerable in other
langs if they exec a child process in bash w/ the environment setup by
a CGI'd process, for example imagine a Perl CGI that executes a bash
script to do part of its work.

Thoughts?  Is it reasonable to do something in mod_cgi{d} to improve
the situation?

Mime
View raw message