[Baypiggies] ALERT Real Bash vulnerability

Glen Jarvis glen at glenjarvis.com
Thu Sep 25 02:22:03 CEST 2014

Believe it or not..

"What the....."

I've patched servers all afternoon...

Bash (the program that is the command line where you type 'python') is
actually vulnerable to injection attacks. If you're running a webserver,
for example, you could be in trouble (environment variables through
webserver headers can execute commands directly on machine).

To test:

prompt> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

This is bad:

this is a test

This is good:

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x'

this is a test


#86144 CVE-2014-6271: remote code execution through bash

a good explanation:
*mgrosso <https://repairpal.slack.com/team/mgrosso>**[1:26 PM]*fyi.


"You grab mindshare by being there."

-- Alex Martelli

   Bay Area Python Interest Group Talk

   24-Oct, 2013
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/baypiggies/attachments/20140924/82dba4e9/attachment.html>

More information about the Baypiggies mailing list