BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Shellshock
- Subject: [Discuss] Shellshock
- From: bill.n1vux at gmail.com (Bill Ricker)
- Date: Wed, 1 Oct 2014 17:33:58 -0400
- In-reply-to: <542C6B15.4080507@gmail.com>
- References: <542B5DFA.2080108@gmail.com> <542B5F49.3050500@gmail.com> <CAAbKA3U4r-rxkAW33HPfv6FJE36rqDJx6qESbrS4r7G_VBN1Mw@mail.gmail.com> <542C6B15.4080507@gmail.com>
On Wed, Oct 1, 2014 at 4:59 PM, Tom Metro <tmetro+blu at gmail.com> wrote: > But in the case of CGI you are just moving the network/local > barrier a bit further down the stack. and moved it right through system() => /bin/sh => /bin/bash by alias which last wasn't designed to be network secure. > The CGI code is written with the > expectation that the inputs are tainted. alas, that paranoia (even if correctly implemented, which even Perl Taint doesn't guarantee, only that something is tried) is only *after* system() gives unclean ENV to bash to pass to Perl. [ Efficient CGI implementations using pool processes and RPC for non-spawning CGI emulation avoid *this* problem, plenty of other room for trouble. ] -- Bill Ricker bill.n1vux at gmail.com https://www.linkedin.com/in/n1vux
- Follow-Ups:
- [Discuss] Shellshock
- From: invalid at pizzashack.org (Derek Martin)
- [Discuss] Shellshock
- From: jabr at blu.org (John Abreau)
- [Discuss] Shellshock
- References:
- [Discuss] Shellshock
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] Shellshock
- Prev by Date: [Discuss] Server/laptop full-disk encryption
- Next by Date: [Discuss] Shellshock
- Previous by thread: [Discuss] Shellshock
- Next by thread: [Discuss] Shellshock
- Index(es):