[174670] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: update

daemon@ATHENA.MIT.EDU (Jim Popovitch)
Wed Sep 24 19:22:22 2014

X-Original-To: nanog@nanog.org
In-Reply-To: <34137.1411599639@turing-police.cc.vt.edu>
Date: Wed, 24 Sep 2014 19:22:14 -0400
From: Jim Popovitch <jimpop@gmail.com>
To: Valdis.Kletnieks@vt.edu
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org

On Sep 24, 2014 7:00 PM, <Valdis.Kletnieks@vt.edu> wrote:
>
> On Wed, 24 Sep 2014 18:50:05 -0400, Jim Popovitch said:
>
> > If someone is already invoking #!/bin/bash from a cgi, then they are
> > already doing it wrong (bash has massive bloat/overhead for a CGI
script).
>
> You sure you don't have *any* cgi's that do something like
> system("mail -s 'cgi program xxyz hit fatal error' webadmin@localhost");
> because all it takes is finding a way to force the fatal error while you
> send a crafted User-Agent: header....

That won't automatically invoke bash on Debian/Ubuntu....unless someone
intentionally changed default shells....

-Jim P.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[174670] in North American Network Operators' Group

Re: update

daemon@ATHENA.MIT.EDU (Jim Popovitch)Wed Sep 24 19:22:22 2014

daemon@ATHENA.MIT.EDU (Jim Popovitch)
Wed Sep 24 19:22:22 2014