[Discuss] Shellshock

John Hall johnhall2.0 at gmail.com
Wed Oct 1 17:34:47 EDT 2014


On Wed, Oct 1, 2014 at 4:59 PM, Tom Metro <tmetro+blu at gmail.com> wrote:

>
> The age thing is a bit of a red herring, and that this came about due to
>  a bug in Bash is almost irrelevant. The responsibility lies squarely
> with the application that provides the network interface. It should not
> be handing off unsanitized data supplied by a client to a child process.
>

It also that shellshock  would not apply to scripts in one language that
use a subprocess for some functionality like a script in python or ruby
that uses results from a perl or even a bash script​, as long as any data
that is passed went thorough normal sanitation measures.

But there are serious problems with mod_cgi
​This article by trend micro makes it clear that data sanitization is
useless if mod_cgi is enabled for Apache. It uses bash and environment
variables to execute your app in the first place so any sanitization code
in the script is useless.

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-shellshock.pdf
​
Question: who uses mod_cgi in production??? I'm a web developer and have
yet to come across it. This definitely does not apply to nginx+uwsgi or
mod_wsgi for example.
I'm looking around to see if it's enabled by default. This might be distro
specific but the other good news is that there are updates to bash listed
in the trend article above that fix the problem.

Cheers + + + + + + +
John



More information about the Discuss mailing list