Adam Tauno Williams
awilliam at whitemice.org
Thu Sep 25 08:16:53 EDT 2014
On Wed, 2014-09-24 at 15:08 -0400, Mark Farver wrote:
> I think it is a stretch to label this remotely exploitable.
Ditto. This is a theoretical exploit of a system that has issues.
On the other hand updating bash should be pretty non-invasive.
> If an attacker has remote control of environment variables you have
> bigger problems.
Especially if the attacker has SSH access to the box!
1. The default setting in modern SSH versions is
2. The default value of "AcceptEnv" is empty set.
3. There has been a warning about pushing environment variables via
SSH since I can remember.
Shell scripts via CGI on the other hand.... just pretty bad idea all
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA
More information about the grlug