[Discuss] Shellshock
Bill Ricker
bill.n1vux at gmail.com
Wed Oct 1 17:33:58 EDT 2014
On Wed, Oct 1, 2014 at 4:59 PM, Tom Metro <tmetro+blu at gmail.com> wrote:
> But in the case of CGI you are just moving the network/local
> barrier a bit further down the stack.
and moved it right through system() => /bin/sh => /bin/bash by alias
which last wasn't designed to be network secure.
> The CGI code is written with the
> expectation that the inputs are tainted.
alas, that paranoia (even if correctly implemented, which even Perl
Taint doesn't guarantee, only that something is tried) is only *after*
system() gives unclean ENV to bash to pass to Perl.
[ Efficient CGI implementations using pool processes and RPC for
non-spawning CGI emulation avoid *this* problem, plenty of other room
for trouble. ]
--
Bill Ricker
bill.n1vux at gmail.com
https://www.linkedin.com/in/n1vux
More information about the Discuss
mailing list