shellshock

Sep. 25th, 2014 05:39 pm
doc_strange: (Do Not Want)
[personal profile] doc_strange
Perhaps you've not heard? Bash, when handed some rotten ENV components, messes up badly and can allow someone able to set the ENV to execute arbitrary commands.

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://www.cnet.com/news/bigger-than-heartbleed-bash-bug-could-leave-it-systems-shellshocked/

Ok. Um, WHO CALLS A SHELL WITH RANDOM ENV CRAP FROM UNTRUSTED PARTIES!?!! This is like a 1997 bug!



Just checked. The recommended practice of blowing away the environment before calling a shell goes back to Garfinkel & Spafford's 1991 seminal Practical Unix Security (or at least the 1996 2nd ed., Practical Unix & Internet Security). It's in there TWICE it is so basic.
From:
Anonymous( )Anonymous This account has disabled anonymous posting.
OpenID( )OpenID You can comment on this post while signed in with an account from many other sites, once you have confirmed your email address. Sign in using OpenID.
User
Account name:
Password:
If you don't have an account you can create one now.
Subject:
HTML doesn't work in the subject.

Message:

 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

Profile

doc_strange: (Default)doc_strange

July 2016

S M T W T F S
     12
345678 9
10111213141516
17181920212223
24252627282930
31      

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 27th, 2017 12:38 pm
Powered by Dreamwidth Studios