Re: update

[Alain Hebert <ahebert () pubnix net>]

On 09/24/14 18:50, Jim Popovitch wrote:
> On Sep 24, 2014 6:39 PM, "Michael Thomas" <mike () mtcc com> wrote:
> > On 9/24/14, 3:27 PM, Jim Popovitch wrote:
> > > On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkrieg () gmail com>
> wrote:
> > > > The scope of the issue isn't limited to SSH, that's just a popular
> > > > example people are using.  Any program calling bash could potentially
> > > > be vulnerable.
> > > Agreed.  My point was that bash is not all that popular on
> > > debian/ubuntu for accounts that would be running public facing
> > > services that would be processing user defined input (www-data,
> > > cgi-bin, list, irc, lp, mail, etc).  Sure some non-privileged user
> > > could host their own cgi script on >:1024, but that's not really a
> > > critical "stop the presses!!" upgrade issue, imho.
> > This is already made it to /. so I'm not sure why Randy was being so hush
> hush...
> > But my read is that this could affect anything that calls bash to do
> processing, like
> > handing off to CGI by putting in headers to p0wn the box. Also: bash is
> incredibly
> > pervasive though any unix disto, in not at all obvious places, so I
> wouldn't be
> > complacent about this at all.
> >
> > Mike
> If someone is already invoking #!/bin/bash from a cgi, then they are
> already doing it wrong (bash has massive bloat/overhead for a CGI script).
> But I do agree, it's hard to know exactly what idiots do.  :-)

    Maybe just mis-informed, they become idiots if they keep doing it
after someone pointed it to them =D

> -Jim P.