Hey Scott, Thanks for the clarification. Basically it's true that this is a vulnerability and a big one for a change but.. The specific cases are pretty important to do something about it when needed. Basically a function should not be defined inside a variable as a thumb rule. Else then that basic input validation in menus and scripts should do the trick. It's not exactly like but if I would run couple special scripts in bash it will do some nasty things to the system. This is indeed a vulnerability but there is a need to define what is vulnerable and what is not to make sure that admins and programmers will do what they need to do and not just "upgrade" which might solve a thing or two but will not help many running systems(that maybe cannot be updated on the fly). One of the big examples in a web form was nagios which uses lots of cgi scripts and by default is valuable but it should not concern in many cases since the installation has basic access restrictions. Eliezer On 09/27/2014 08:59 PM, Scott Howard wrote:
No, it's not only for bash cgi scripts - it's for anything that results in Bash being called.
For example, a Perl CGI script that calls system(). Or another binary that executes anything via bash.
Or an SSH server configured to use the "ForceCommand" option (eg, to put the user into a captive menu rather than a shell). Or a dhcp client running dhclient-script.
There's dozens of potential vectors to abuse this one - many of which haven't even been thought of yet. Patch *now*, on all machines - regardless of whether they have a webserver or not.
Scott