Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Shellshock

On Wed, Oct 1, 2014 at 4:59 PM, Tom Metro <tmetro+blu at> wrote:

> The age thing is a bit of a red herring, and that this came about due to
>  a bug in Bash is almost irrelevant. The responsibility lies squarely
> with the application that provides the network interface. It should not
> be handing off unsanitized data supplied by a client to a child process.

It also that shellshock  would not apply to scripts in one language that
use a subprocess for some functionality like a script in python or ruby
that uses results from a perl or even a bash script?, as long as any data
that is passed went thorough normal sanitation measures.

But there are serious problems with mod_cgi
?This article by trend micro makes it clear that data sanitization is
useless if mod_cgi is enabled for Apache. It uses bash and environment
variables to execute your app in the first place so any sanitization code
in the script is useless.
Question: who uses mod_cgi in production??? I'm a web developer and have
yet to come across it. This definitely does not apply to nginx+uwsgi or
mod_wsgi for example.
I'm looking around to see if it's enabled by default. This might be distro
specific but the other good news is that there are updates to bash listed
in the trend article above that fix the problem.

Cheers + + + + + + +

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /