httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <>
Subject Bash CVE-2014-6271 and CGI / HTTPD
Date Wed, 24 Sep 2014 17:48:25 GMT

I've seen a few mentions of CGI being vulnerable to attacks from this
issue.  An example from the HN threads:

    GET / HTTP/1.0
    User-Agent: () { :; }; rm -rf /

Assuming a CGI bash script of course --  but maybe vulnerable in other
langs if they exec a child process in bash w/ the environment setup by
a CGI'd process, for example imagine a Perl CGI that executes a bash
script to do part of its work.

Thoughts?  Is it reasonable to do something in mod_cgi{d} to improve
the situation?

View raw message