[Osem]

Quote:

Originally Posted by qasdfdsaq

Guess that's another good example of why you should always run your web server processes in a deprivileged account...

Nonetheless the original source linked from your NIST article:

https://securityblog.redhat.com/2014...ection-attack/

says the vulnerability can be exploited via:

• Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string)

But:

• PHP scripts executed with mod_php are not affected even if they spawn subshells.

So I fail to see how else it could be exploited via HTTP, if your process can't execute or spawn shells to begin with...


Ah well, I guess I'll have to keep reading up on this... Makes my job fun.




---------- Post added at 13:57 ---------- Previous post was at 13:56 ----------


If you're running Windows, it will not affect you at all.

If you're running Mac or Linux but don't run any servers, you should be fine as long as attackers don't have direct physical access to your home network. On a public hotspot you might have to worry...

Makes a change.

TVM