httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: [users@httpd] Proposed simple shell-shock protection
Date Mon, 29 Sep 2014 21:04:36 GMT

On 29 Sep 2014, at 19:41, Pete Houston wrote:

> It is not a flaw in apache. Apache is simply a network-enabled channel
> through which exploitative payloads may be delivered to unpatched
> installations of bash (one of many such channels).

Yep.  mod_taint (or any other Apache-based solution) is secondary protection.
Updating bash must be your primary defence.

Your system may not be vulnerable in the first place.  If bash isn't
your default shell then the chances of it getting invoked by anything
running under apache are very remote.  Check #!/bin/sh: if it's a
not link to bash then the chances of bash ever being reachable through
apache are very remote unless/until your attacker already owns you.

If you want to be properly paranoid, run apache in a VM or chroot jail
with no bash at all!

-- 
Nick Kew

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message