The parameters of system() function have been verified as valid IP/netmask format by script, so I don't think other parameters would be able to slip in in this case.
--Sheng On Tue, Sep 30, 2014 at 8:38 AM, Go Chiba <go.ch...@gmail.com> wrote: > Hi folks, > > By my digging, ipcalc included system() function call but debian based our > system vm are using dash as system shell. So I think this shellshock > concern are not directly affected to system vm cgi-bin. right? > > GO > > from my iPhone > > 2014/09/30 10:13、Demetrius Tsitrelis <demetrius.tsitre...@citrix.com> > のメッセージ: > > > http://systemvm-public-ip/cgi-bin/ipcalc is a perl script. > > > > -----Original Message----- > > From: Sheng Yang [mailto:sh...@yasker.org] > > Sent: Monday, September 29, 2014 5:21 PM > > To: <dev@cloudstack.apache.org> > > Subject: Re: Shellshock > > > > http://systemvm-public-ip/cgi-bin/ipcalc is NOT a bash script, so it's > normal that it cannot be exploited. > > > > --Sheng > > > >> On Fri, Sep 26, 2014 at 1:57 PM, Demetrius Tsitrelis < > demetrius.tsitre...@citrix.com> wrote: > >> > >> Do you mean you tried setting the USER_AGENT like in > >> https://community.qualys.com/blogs/securitylabs/2014/09/25/qualysguard > >> -remote-detection-for-bash-shellshock > >> ? > >> > >> > >> -----Original Message----- > >> From: Ian Duffy [mailto:i...@ianduffy.ie] > >> Sent: Friday, September 26, 2014 6:56 AM > >> To: CloudStack Dev > >> Subject: Re: Shellshock > >> > >> Tried this against the latest system vms built on Jenkins. > >> > >> Didn't get a successful exploited response. Tested against > >> http://systemvm > >> - public-ip/cgi-bin/ipcalc > >>> On 25 Sep 2014 16:56, "Abhinandan Prateek" <agneya2...@gmail.com> > wrote: > >>> > >>> > >>> After heart bleed we are Shell shocked > >>> http://www.bbc.com/news/technology-29361794 ! > >>> It may not affect cloudstack directly as it is a vulnerability that > >>> affects bash, and allows the attacker to take control of the system > >>> running bash shell. > >>> > >>> -abhi > >> >