Sep. 25th, 2014

shellshock

Sep. 25th, 2014 05:39 pm
doc_strange: (Do Not Want)
Perhaps you've not heard? Bash, when handed some rotten ENV components, messes up badly and can allow someone able to set the ENV to execute arbitrary commands.

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://www.cnet.com/news/bigger-than-heartbleed-bash-bug-could-leave-it-systems-shellshocked/

Ok. Um, WHO CALLS A SHELL WITH RANDOM ENV CRAP FROM UNTRUSTED PARTIES!?!! This is like a 1997 bug!



Just checked. The recommended practice of blowing away the environment before calling a shell goes back to Garfinkel & Spafford's 1991 seminal Practical Unix Security (or at least the 1996 2nd ed., Practical Unix & Internet Security). It's in there TWICE it is so basic.

Profile

doc_strange: (Default)doc_strange

July 2016

S M T W T F S
     12
345678 9
10111213141516
17181920212223
24252627282930
31      

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 23rd, 2017 09:39 pm
Powered by Dreamwidth Studios