<div dir="ltr">you need to find a vulnerable site. CGI doesn't have to pass through bash. you need a site that opens a subshell for something. they aren't uncommon, but it's not every linux-CGI site. </div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 26, 2014 at 2:33 PM, Eli Billauer <span dir="ltr"><<a href="mailto:eli@billauer.co.il" target="_blank">eli@billauer.co.il</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I did<br>
<br>
# yum upgrade bash<br>
<br>
on Haifux' server, and it's off the hook. But I was also surprised that it the attack failed even before that.<br>
<br>
Eli<div class="HOEnZb"><div class="h5"><br>
<br>
On 26/09/14 12:39, guy keren wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 09/26/2014 12:30 PM, Eli Billauer wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
env x='() { :;}; echo vulnerable' bash -c 'echo This is a test'<br>
</blockquote>
<br>
you're too late - there's a (partial?) fix being distributed around...<br>
<br>
--guy<br>
______________________________<u></u>_________________<br>
Haifux mailing list<br>
<a href="mailto:Haifux@haifux.org" target="_blank">Haifux@haifux.org</a><br>
<a href="http://haifux.org/mailman/listinfo/haifux" target="_blank">http://haifux.org/mailman/<u></u>listinfo/haifux</a><br>
<br>
</blockquote>
<br>
<br></div></div><span class="HOEnZb"><font color="#888888">
-- <br>
Web: <a href="http://www.billauer.co.il" target="_blank">http://www.billauer.co.il</a></font></span><div class="HOEnZb"><div class="h5"><br>
<br>
______________________________<u></u>_________________<br>
Haifux mailing list<br>
<a href="mailto:Haifux@haifux.org" target="_blank">Haifux@haifux.org</a><br>
<a href="http://haifux.org/mailman/listinfo/haifux" target="_blank">http://haifux.org/mailman/<u></u>listinfo/haifux</a><br>
</div></div></blockquote></div><br></div>