IBU

Consol

http://www.berklix.com/~jhs/bash/

By Julian H. Stacey - Other Blogs & Texts

Friday 26 September 2014 - Best avoid web forms for some days !
(I wonder how many bank, commerce, & government etc web programmers won't even start securing their systems till after the weekend ? )

Another Security Alert: ShellShock (BASH).
Bash specially crafted environment variables code injection attack.
(Just when you were relaxing after the Heartbleed (SSL) April security alert)).

Why ShellShock (BASH) may affect you:

• Many/most of the world's web servers run Apache on Linux.
• Linux (& OS X 10.2) use bash, not /bin/sh (FreeBSD & other BSDs do not, they're more conservative ).
• Bash (a command interpreter (like /bin/sh & MS command.com)) has security holes.
• Apparently lots of web scripts that run on Apache servers are written in Bash (& Bash is prevalent in Apache httpd sample scripts, see below.

References

• securityblog.redhat.com
• arstechnica.com
• fsf.org
• web.nvd.nist.gov CVE-2014-6271
• web.nvd.nist.gov CVE-2014-7169
• apache.org server
• lists.freebsd.org ports & questions & security 1 &   security 2
• svnweb.freebsd.org
  Revision 369341, Fri Sep 26 20:33:23 2014 UTC
  "Disable function importing from the environment by default."

Apache Sample Scripts

cd /usr/ports/www/apache22/work/httpd-2.2.25
find . -type f | xargs grep -i -l bash | sort
vi  -c/bash `find . -type f | xargs grep -i -l bash | sort`
./CHANGES
./README.platforms
./build/rpm/htcacheclean.init
./build/rpm/httpd.init
./configure
./configure.bak
./modules/proxy/proxy_util.c # Just Comments
./srclib/apr-util/configure
./srclib/apr-util/test/nw_misc.c
./srclib/apr-util/xml/expat/README
./srclib/apr-util/xml/expat/configure
./srclib/apr-util/xml/expat/conftools/libtool.m4 # Just Comments
./srclib/apr/build/libtool.m4 # Just Comments
./srclib/apr/configure
./srclib/apr/include/apr_file_info.h # Just Comments
./srclib/apr/test/nw_misc.c
./srclib/pcre/configure

A Test