Translate

Arm Ukraine, zap Putin

Stolen Votes

berklix.com logo

berklix.org logo

No Cookies

Flag UK DE

BSD-PIE

BSD

GNU

Linux

No Tracking

Disclaimer

IBU

Consol

http://www.berklix.com/~jhs/bash/

By Julian H. Stacey - Other Blogs & Texts

Friday 26 September 2014 - Best avoid web forms for some days !
(I wonder how many bank, commerce, & government etc web programmers won't even start securing their systems till after the weekend ? )

Another Security Alert: ShellShock (BASH).
Bash specially crafted environment variables code injection attack.
(Just when you were relaxing after the Heartbleed (SSL) April security alert)).

Why ShellShock (BASH) may affect you:

References

Apache Sample Scripts

A look at apache server sample scripts, to see how much they set precedent using Bash:
cd /usr/ports/www/apache22/work/httpd-2.2.25
find . -type f | xargs grep -i -l bash | sort
vi  -c/bash `find . -type f | xargs grep -i -l bash | sort`
./CHANGES
./README.platforms
./build/rpm/htcacheclean.init
./build/rpm/httpd.init
./configure
./configure.bak
./modules/proxy/proxy_util.c # Just Comments
./srclib/apr-util/configure
./srclib/apr-util/test/nw_misc.c
./srclib/apr-util/xml/expat/README
./srclib/apr-util/xml/expat/configure
./srclib/apr-util/xml/expat/conftools/libtool.m4 # Just Comments
./srclib/apr/build/libtool.m4 # Just Comments
./srclib/apr/configure
./srclib/apr/include/apr_file_info.h # Just Comments
./srclib/apr/test/nw_misc.c
./srclib/pcre/configure

A Test

For more & newer tests & consideration of other shells, eg ksh etc, see the security@freebsd mail list link above.

csh
printenv
source `which unsetenv.csh`
printenv # Now less environment variables to make observation easier.
bash

# Next line from np@, Thanks.
env x='() { :;}; echo Vulnerable.' bash -c "echo This is a test."
# Old bash:
Vulnerable.
This is a test.
# Fresh patched current bash:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
This is a test.

# Show the error message goes to stderr, not stdout:
env x='() { :;}; echo Vulnerable.' bash -c "echo This is a test." > stdout
# Old bash:
Nothing to stderr

# Fresh patched current bash:
To stderr:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
cat stdout
# Old bash:
Vulnerable.
This is a test.

# Fresh patched current bash:
This is a test.

Stolen VotesBerklix.Net Computer AssociatesDomainsApache: Web ServerFreeBSD: Operating System