shellshock

Sep. 25th, 2014 05:39 pm
doc_strange: (Do Not Want)
[personal profile] doc_strange
Perhaps you've not heard? Bash, when handed some rotten ENV components, messes up badly and can allow someone able to set the ENV to execute arbitrary commands.

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://www.cnet.com/news/bigger-than-heartbleed-bash-bug-could-leave-it-systems-shellshocked/

Ok. Um, WHO CALLS A SHELL WITH RANDOM ENV CRAP FROM UNTRUSTED PARTIES!?!! This is like a 1997 bug!



Just checked. The recommended practice of blowing away the environment before calling a shell goes back to Garfinkel & Spafford's 1991 seminal Practical Unix Security (or at least the 1996 2nd ed., Practical Unix & Internet Security). It's in there TWICE it is so basic.
From: [identity profile] livejournal.livejournal.com
User [livejournal.com profile] weev referenced to your post from Dear clueless assholes: stop bashing bash and GNU. (http://weev.livejournal.com/409835.html) saying: [...] you execute a UNIX command with untrusted input, you clear away the environment variables first [...]

Profile

doc_strange: (Default)doc_strange

July 2016

S M T W T F S
     12
345678 9
10111213141516
17181920212223
24252627282930
31      

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 27th, 2017 12:31 pm
Powered by Dreamwidth Studios