[Haifux] The Bash vulnerability (shellshock)

boazg boaz.gezer at gmail.com
Sat Sep 27 11:36:14 IDT 2014


you need to find a vulnerable site. CGI doesn't have to pass through bash.
you need a site that opens a subshell for something. they aren't uncommon,
but it's not every linux-CGI site.

On Fri, Sep 26, 2014 at 2:33 PM, Eli Billauer <eli at billauer.co.il> wrote:

> Hi,
>
> I did
>
> # yum upgrade bash
>
> on Haifux' server, and it's off the hook. But I was also surprised that it
> the attack failed even before that.
>
>    Eli
>
>
> On 26/09/14 12:39, guy keren wrote:
>
>> On 09/26/2014 12:30 PM, Eli Billauer wrote:
>>
>>> env x='() { :;}; echo vulnerable' bash -c 'echo This is a test'
>>>
>>
>> you're too late - there's a (partial?) fix being distributed around...
>>
>> --guy
>> _______________________________________________
>> Haifux mailing list
>> Haifux at haifux.org
>> http://haifux.org/mailman/listinfo/haifux
>>
>>
>
> --
> Web: http://www.billauer.co.il
>
>
> _______________________________________________
> Haifux mailing list
> Haifux at haifux.org
> http://haifux.org/mailman/listinfo/haifux
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://haifux.org/pipermail/haifux/attachments/20140927/14e6a433/attachment.html>


More information about the Haifux mailing list