[lug] Shellshock exploit is worse

Rob Nagler nagler at bivio.biz
Thu Sep 25 20:41:19 MDT 2014


Please correct me if I'm wrong, but I think the shellshock exploit is much
worse than is being discussed (openly).

Consider this:

$ export cat='() { echo uh-oh; }'
$ python -c 'import os; os.system("cat")'
uh-oh

The fix being promoted does not change this behavior.

Python is probably the worst, because it always uses bash -c, but other
languages
have this problem with only a slight variation:

$ ruby -e 'exec "cat *"'
uh-oh

Maybe I'm missing something.  I sure hope I am.

Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20140925/79c9070f/attachment.html>


More information about the LUG mailing list