[lug] Shellshock exploit is worse
Rob Nagler
nagler at bivio.biz
Thu Sep 25 20:41:19 MDT 2014
Please correct me if I'm wrong, but I think the shellshock exploit is much
worse than is being discussed (openly).
Consider this:
$ export cat='() { echo uh-oh; }'
$ python -c 'import os; os.system("cat")'
uh-oh
The fix being promoted does not change this behavior.
Python is probably the worst, because it always uses bash -c, but other
languages
have this problem with only a slight variation:
$ ruby -e 'exec "cat *"'
uh-oh
Maybe I'm missing something. I sure hope I am.
Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20140925/79c9070f/attachment.html>
More information about the LUG
mailing list