[Baypiggies] ALERT Real Bash vulnerability
Glen Jarvis
glen at glenjarvis.com
Thu Sep 25 02:22:03 CEST 2014
Believe it or not..
"What the....."
I've patched servers all afternoon...
Bash (the program that is the command line where you type 'python') is
actually vulnerable to injection attacks. If you're running a webserver,
for example, you could be in trouble (environment variables through
webserver headers can execute commands directly on machine).
To test:
prompt> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
This is bad:
vulnerable
this is a test
This is good:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Details:
#86144 CVE-2014-6271: remote code execution through bash
omg:
https://news.ycombinator.com/item?id=8361574
wtf:
http://seclists.org/oss-sec/2014/q3/649
a good explanation:
http://seclists.org/oss-sec/2014/q3/650
*mgrosso <https://repairpal.slack.com/team/mgrosso>**[1:26 PM]*fyi.
--
"You grab mindshare by being there."
-- Alex Martelli
Bay Area Python Interest Group Talk
24-Oct, 2013
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/baypiggies/attachments/20140924/82dba4e9/attachment.html>
More information about the Baypiggies
mailing list