[174668] in North American Network Operators' Group
Re: update
daemon@ATHENA.MIT.EDU (Alain Hebert)
Wed Sep 24 19:00:25 2014
X-Original-To: nanog@nanog.org
Date: Wed, 24 Sep 2014 18:58:23 -0400
From: Alain Hebert <ahebert@pubnix.net>
To: nanog@nanog.org
In-Reply-To: <CAGfsgR1a7Y_RCVTdpy8a5YDPMTaLWKivac0eW9pE5GZv1TQjEQ@mail.gmail.com>
Reply-To: ahebert@pubnix.net
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 09/24/14 18:50, Jim Popovitch wrote:
> On Sep 24, 2014 6:39 PM, "Michael Thomas" <mike@mtcc.com> wrote:
>>
>> On 9/24/14, 3:27 PM, Jim Popovitch wrote:
>>> On Wed, Sep 24, 2014 at 6:17 PM, Brandon Whaley <redkrieg@gmail.com>
> wrote:
>>>> The scope of the issue isn't limited to SSH, that's just a popular
>>>> example people are using. Any program calling bash could potentially
>>>> be vulnerable.
>>> Agreed. My point was that bash is not all that popular on
>>> debian/ubuntu for accounts that would be running public facing
>>> services that would be processing user defined input (www-data,
>>> cgi-bin, list, irc, lp, mail, etc). Sure some non-privileged user
>>> could host their own cgi script on >:1024, but that's not really a
>>> critical "stop the presses!!" upgrade issue, imho.
>>>
>>>
>> This is already made it to /. so I'm not sure why Randy was being so hush
> hush...
>> But my read is that this could affect anything that calls bash to do
> processing, like
>> handing off to CGI by putting in headers to p0wn the box. Also: bash is
> incredibly
>> pervasive though any unix disto, in not at all obvious places, so I
> wouldn't be
>> complacent about this at all.
>>
>> Mike
> If someone is already invoking #!/bin/bash from a cgi, then they are
> already doing it wrong (bash has massive bloat/overhead for a CGI script).
> But I do agree, it's hard to know exactly what idiots do. :-)
Maybe just mis-informed, they become idiots if they keep doing it
after someone pointed it to them =D
>
> -Jim P.
