-
-
The problem is particularly serious given that many web servers are run using the Apache system, software which includes the Bash component.
I'm no sandal-wearing Linux expert but isn't it part of the OS, not the web server? -
Just install Windows. Problem solved.Will work inside IR35. Or for food.Comment
-
The exploit allows you to access the webserver remotely via bash....Originally posted by Bunk View Post
I'm no sandal-wearing Linux expert but isn't it part of the OS, not the web server?Comment
-
But bash is a command line IIRC. Surely that means you need to have logged onto the machine to get the command line to do any damage?Originally posted by stek View PostWill work inside IR35. Or for food.Comment
-
I think the exploit can give extra privs in the manner of the old Emacs exploit.Originally posted by VectraMan View PostComment
-
CGI uses the system shell, which is usually bash. One nice (?) demo I saw last night involved changing the User-Agent header on a request. When processed by a vulnerable web server (e.g. one running PHP-as-CGI, or one with a cgi-bin script that parsed request headers) it allowed execution of arbitrary shell commands on the server.Originally posted by Bunk View Post
I'm no sandal-wearing Linux expert but isn't it part of the OS, not the web server?Comment
-
The web server is running as a logged-on user (usually something like www:www or apache:apache). It allows you to run arbitrary commands with the same privileges as that user, which is clearly a Bad Thing. In particular, even if the web server user is restricted to certain commands, it allows you to override those restrictions, and run whatever you like with a simple request to port 80.Originally posted by VectraMan View Post
If this was combined with a zero-day privilege escalation vulnerability within bash, then the bad guys could root a server with nothing more than a single request using curl. Not good
Comment
Comment