Reply to post: Not just CGI

Bad boy builds beastly Bash bug botnet, boxen battered

Nick Kew

Not just CGI

People running Apache: if you think you may be at risk, watch Planet Apache for a solution built into the server!

I'd take issue with the assertion that CGI+bash is likely to be the most usual vector. Applications (CGI or otherwise) that invoke bash through system() or equivalent may very well be more widespread.

Some of those could be running under a standard server. For example, SSI "<!--#exec cmd ...", or a filter running under apache's mod_ext_filter. The latter is recommended as a security measure in at least one well-reputed security book, albeit not actually running bash!

Also worth noting, Linux is particularly vulnerable. Most scripts use #!/bin/sh, which is normally old Bourne shell. Linux doesn't have Bourne shell, but uses an emulator for #!/bin/sh, and that emulator is usually bash.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022