[GLLUG] Bash Bug
mail-lists at karan.org
Thu Sep 25 22:27:31 UTC 2014
On 09/25/2014 10:44 PM, Alain Williams wrote:
> On Thu, Sep 25, 2014 at 10:38:32PM +0100, Alain Williams wrote:
> FYI: something referenced from the SElinux mail list:
this is a great post on how SELinux can help overall in situations like
this as well.
the other thing that is important to note here is that there is -lots-
of software out there that uses system() calls to do things, every one
of those is potentially at risk here; nagios / gitweb etc are just a tip
of the iceberg. There is plenty of desktop / app grade software that
does this as well.
So, although I agree that bash for cgi-scripts is just completely
whacked out, in many cases the issue is being inherited from other code,
that does the system shell out.
btw, sky hd+ box's running linux... also exploiteable.
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc
More information about the GLLUG