[GRLUG] CVE-2014-6271
Adam Tauno Williams
awilliam at whitemice.org
Thu Sep 25 08:16:53 EDT 2014
On Wed, 2014-09-24 at 15:08 -0400, Mark Farver wrote:
> I think it is a stretch to label this remotely exploitable.
Ditto. This is a theoretical exploit of a system that has issues.
On the other hand updating bash should be pretty non-invasive.
> If an attacker has remote control of environment variables you have
> bigger problems.
Especially if the attacker has SSH access to the box!
FYI:
1. The default setting in modern SSH versions is
"PermitUserEnvironment no"
2. The default value of "AcceptEnv" is empty set.
3. There has been a warning about pushing environment variables via
SSH since I can remember.
Shell scripts via CGI on the other hand.... just pretty bad idea all
around IMNSHO.
--
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA
More information about the grlug
mailing list