On Thu, 25 Sep 2014 04:59:58 +0300, Henry Crun Gave us:
- posted
9 years ago
On Thu, 25 Sep 2014 04:59:58 +0300, Henry Crun Gave us:
Yup. For both CentOS 6.5 and Cygwin. Not that I run any web servers myself, of course....
Cheers
Phil Hobbs
-- Dr Philip C D Hobbs Principal Consultant ElectroOptical Innovations LLC Optics, Electro-optics, Photonics, Analog Electronics 160 North State Road #203 Briarcliff Manor NY 10510 hobbs at electrooptical dot net http://electrooptical.net
I find it ironic that people would call it a bug since it's been around for so long.
Just another back door exposed and another one will be created to fill its place.
Jamie
On Sat, 27 Sep 2014 12:47:02 -0400, "Maynard A. Philbrook Jr." Gave us:
BASH has, but has the bug?
I think you lack a certain grasp of computer science with that claim.
What's ironic about that?
Cheers
Phil Hobbs
-- Dr Philip C D Hobbs Principal Consultant ElectroOptical Innovations LLC Optics, Electro-optics, Photonics, Analog Electronics 160 North State Road #203 Briarcliff Manor NY 10510 hobbs at electrooptical dot net http://electrooptical.net
People have been warning against using shell scripts for CGI since the early days of the Web, but some folks didn't get the message.
Cheers
Phil Hobbs
-- Dr Philip C D Hobbs Principal Consultant ElectroOptical Innovations LLC Optics, Electro-optics, Photonics, Analog Electronics 160 North State Road #203 Briarcliff Manor NY 10510 hobbs at electrooptical dot net http://electrooptical.net
As they say, it's not a bug , it's a feature.
I went and found an article on it and it appears to operate from values in the environment variable settings that bash should not be executing as commands.
I have such a suspicious personality, so I think every one is guilty of something. I can't blow this off as mere coincidence, since it's been around for so long.
After reading how other UNIX type OS's may have this same problem, it looks like a lot of copy and pasting of code! Wouldn't you have thought that the shell would of been fixed for other platforms using the UNIX style OS?
Jamie
Computer science, ha. Another yuppie...
Jamie
Rather, copying of *ideas*. And, failing to see the flaws in those ideas (or, ways of protecting against them).
Why do we still see buffer overrun problems in code? C'mon, that's a no-brainer! Yet people still use fixed size buffers and don't take steps to ensure only "5 pounds" gets stuffed into that (5 lb) bag!
On Sat, 27 Sep 2014 16:03:42 -0400, "Maynard A. Philbrook Jr." Gave us:
You're an idiot, and not far from fitting The SlowTard's description of you.
Try thinking before you spew. Perhaps gain a reprieve.
Oh I did all thinking that was required, you're still a yuppie!
Jamie
On Sat, 27 Sep 2014 21:00:38 -0400, "Maynard A. Philbrook Jr." Gave us:
You are still retarded. I was out of school before the term was even coined. So much for your capacity to guess weight, circus clown.
On a sunny day (Sat, 27 Sep 2014 12:47:02 -0400) it happened "Maynard A. Philbrook Jr." wrote in :
I dont use bash, but zsh shell, and that is positive too: # env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test
So I remaned /bin/bash /bin/somethingelse # env x='() { :;}; echo vulnerable' bash -c "echo this is a test" env: bash: No such file or directory
logical...
and tried the test again with zsh: # env x='() { :;}; echo vulnerable' zsh -c "echo this is a test" this is a test
Seems zsh is clean. To bad a zillion scripts need bash, or have bash specified
so.... But they already know everything. eeeeh, almost... ? :-) oops need to check those logs again.
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.