httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sharon Zastre <>
Subject RE: [users@httpd] Proposed simple shell-shock protection
Date Mon, 29 Sep 2014 16:35:37 GMT
Thank you Nick for quickly looking into a solution/work around for the shellshock vulnerability.
 But I'm confused as to how to implement it.  I am currently at Apache 2.4.9 with OpenSSL
1.0.1g.  Do I need to upgrade to 2.4.10 or 2.5(?) first?  Will it simply be in the install
and I include mod_taint in the config file?  Or is this a separate download that I need to


-----Original Message-----
From: Nick Kew [] 
Sent: Friday, September 26, 2014 9:42 AM
Subject: [users@httpd] Proposed simple shell-shock protection

I've revisited mod_taint this morning, and made some updates:
a bugfix, a new option to apply an untainting rule to all headers.
But topically, a canned configuration option to protect against shell-shock patterns:

  LoadModule modules/
  Untaint shellshock

Untaint works in a directory context, so can be selectively enabled for potentially-vulnerable
apps such as those involving CGI, SSI, ExtFilter, or (other) scripts.

This goes through all Request headers, any PATH_INFO and QUERY_STRING, and (just to be paranoid)
any other subprocess environment variables.  It untaints them against a regexp that checks
for "()" at the beginning of a variable, and returns an HTTP 400 error (Bad Request) if found.

Feedback welcome, indeed solicited.  I believe this is a simple but sensible approach to protecting
potentially-vulnerable systems, but I'm open to contrary views.  The exact details, including
the shellshock regexp itself, could probably use some refinement.  And of course, bug reports!

Builds and runs with httpd 2.2 and 2.4.  Very limited testing verifies that it catches a shellshock
attack in a request header.

Note: cross-posting, with followup-to set to dev@.
If you're following up to report a critical bug, adding users@ will ensure widest exposure!

Nick Kew

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message