nanog mailing list archives
Re: update
From: Jim Popovitch <jimpop () gmail com>
Date: Wed, 24 Sep 2014 19:22:14 -0400
On Sep 24, 2014 7:00 PM, <Valdis.Kletnieks () vt edu> wrote:
On Wed, 24 Sep 2014 18:50:05 -0400, Jim Popovitch said:If someone is already invoking #!/bin/bash from a cgi, then they are already doing it wrong (bash has massive bloat/overhead for a CGI
script).
You sure you don't have *any* cgi's that do something like system("mail -s 'cgi program xxyz hit fatal error' webadmin@localhost"); because all it takes is finding a way to force the fatal error while you send a crafted User-Agent: header....
That won't automatically invoke bash on Debian/Ubuntu....unless someone intentionally changed default shells.... -Jim P.
Current thread:
- Re: update, (continued)
- Re: update Hugo Slabbert (Sep 24)
- Re: update JoeSox (Sep 25)
- Re: update Joly MacFie (Sep 25)
- Re: update Brandon Whaley (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update Michael Thomas (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update Alain Hebert (Sep 24)
- Re: update Valdis . Kletnieks (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update Daniel Jackson (Sep 24)
- Re: update Chris Adams (Sep 24)
- Re: update Jimmy Hess (Sep 24)
- Re: update William Herrin (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update William Herrin (Sep 24)
- Re: update Jim Popovitch (Sep 24)
- Re: update William Herrin (Sep 24)
- Re: update Jim Popovitch (Sep 24)