[174669] in North American Network Operators' Group
Re: update
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Sep 24 19:04:24 2014
X-Original-To: nanog@nanog.org
To: Jim Popovitch <jimpop@gmail.com>
In-Reply-To: Your message of "Wed, 24 Sep 2014 18:50:05 -0400."
<CAGfsgR1a7Y_RCVTdpy8a5YDPMTaLWKivac0eW9pE5GZv1TQjEQ@mail.gmail.com>
From: Valdis.Kletnieks@vt.edu
Date: Wed, 24 Sep 2014 19:00:39 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1411599639_2023P
Content-Type: text/plain; charset=us-ascii
On Wed, 24 Sep 2014 18:50:05 -0400, Jim Popovitch said:
> If someone is already invoking #!/bin/bash from a cgi, then they are
> already doing it wrong (bash has massive bloat/overhead for a CGI script).
You sure you don't have *any* cgi's that do something like
system("mail -s 'cgi program xxyz hit fatal error' webadmin@localhost");
because all it takes is finding a way to force the fatal error while you
send a crafted User-Agent: header....
As Jim Popovitch said, bash usage is incredibly pervasive....
--==_Exmh_1411599639_2023P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Exmh version 2.5 07/13/2001
iQIVAwUBVCNNFwdmEQWDXROgAQLPMg//fkw4WIrKN9bslJSjhPS+wlSoO0GdvAIX
EHFDNnxnGYtmozxWdHKHS477EeKlYsKuxh5FYBnxyaLqLxs0FHBzClVyIelO/S9J
zhP1JCRDGv9gTQY1z5zN0x6vrMxFnIqYL3bmMax8gNEW/bpwtuJqPCIYq+0oAzEZ
eOSkQyQ/7kf2IwpX5u2BxvOCB17s8we+alL+Y139oHByYtLcEkV6p7qb96HSwbjo
NEpPRcyv/J/qi3In6gtwq01EWG0iuuKqHC3bgpsiqFBWVMhR6UqukpnNoxfMt06t
VpR9Y6HR0y6337c3oABsDKSgDXJhDBNQRVgNo9z+ybCkLHvofyzJvnEp7ztVvYzP
hhCfUX3CexDiga559GXWsvy08HhtGz1z59UA8JPjrtrNAvP5AFF8zxFVRdHqSMhE
dLFXHenLQ0XlNHU8xul4NvCowp6o4BmqDlRxIZsnT5WItO9WmUV6njcB2eEgmtVB
J1W1i7GUMf36K0wQd6onJjSMGIHxhHRWRkAhVTxhhqhnYPLoadJqJNtgdbURqgNe
cYl9yB3DA5Ljx4zD7IyC4PO3a2b8ESswsTHFdwI7b357BrrdRJDZRwN+nf2mwojO
ZXOQT5W5qVA3L9abSlqIaVwxYqNWvYDB1cub3pQahrDqEJsE+LO8cntbU1dLVcVV
zzPLGOnBVVk=
=B2kn
-----END PGP SIGNATURE-----
--==_Exmh_1411599639_2023P--
