On Sun 28 Sep 2014 11:01:17 NZDT +1300, Eliezer Croitoru wrote: Sorry I forgot the smilies for the sarcastic parts earlier.
If an admin wrote a cgi script that allows injection of functions into the bash environment then the cgi script should be fixed...
Of course input should always be validated, but that theory has an assumption and thus a limit. The assumption is that your validation script interpreter works, which in this case it does not, so fixing the script does not help you. The script interpreter itself fails to validate, and that is the location that needs fixing. Your php/mysql example is not helpful.
If the issue is the mod_cgi interface itself allowing all sort of stuff it is not 100% bash fault.
It is maybe not mod_cgi's job to validate user input. Also, you are assuming again that apache is the only problem. It is not. HTH, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me.