On 09/26/2014 01:33 PM, Mike wrote:
> Royce,
>
> Thanks for covering this...I was going to post something later this
> evening.
>
> You have saved me the trouble!
>
> Looks easy enough to patch.
>
> I'd like to also talk about the access vectors.
>
> It looks like only shelling into the box exposes this particular remote
> exploit.
>
> Are there other avenues of access?
Theoretically, any program that takes input from an untrusted source and
puts it into an environment variable that gets processed by bash (in
this case) can be exploited. Environment variables for CGI scripts in
Apache are a popular source of exploitation. :)
R.
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Fri Sep 26 18:03:39 2014
This archive was generated by hypermail 2.1.8 : Fri Sep 26 2014 - 18:03:39 AKDT