Actually, I am not sure. Only the env.cgi script is loaded and, while the other scripts are in perl, there is nothing in the video which shows the source for the env.cgi script so it may not be perl.
-----Original Message----- From: Demetrius Tsitrelis [mailto:[email protected]] Sent: Wednesday, October 01, 2014 10:52 AM To: <[email protected]> Subject: RE: Shellshock Interestingly this video shows attack against a perl script... https://www.youtube.com/watch?v=ArEOVHQu9nk -----Original Message----- From: Demetrius Tsitrelis [mailto:[email protected]] Sent: Monday, September 29, 2014 6:13 PM To: <[email protected]> Subject: RE: Shellshock http://systemvm-public-ip/cgi-bin/ipcalc is a perl script. -----Original Message----- From: Sheng Yang [mailto:[email protected]] Sent: Monday, September 29, 2014 5:21 PM To: <[email protected]> Subject: Re: Shellshock http://systemvm-public-ip/cgi-bin/ipcalc is NOT a bash script, so it's normal that it cannot be exploited. --Sheng On Fri, Sep 26, 2014 at 1:57 PM, Demetrius Tsitrelis < [email protected]> wrote: > Do you mean you tried setting the USER_AGENT like in > https://community.qualys.com/blogs/securitylabs/2014/09/25/qualysguard > -remote-detection-for-bash-shellshock > ? > > > -----Original Message----- > From: Ian Duffy [mailto:[email protected]] > Sent: Friday, September 26, 2014 6:56 AM > To: CloudStack Dev > Subject: Re: Shellshock > > Tried this against the latest system vms built on Jenkins. > > Didn't get a successful exploited response. Tested against > http://systemvm > - public-ip/cgi-bin/ipcalc > On 25 Sep 2014 16:56, "Abhinandan Prateek" <[email protected]> wrote: > > > > > After heart bleed we are Shell shocked > > http://www.bbc.com/news/technology-29361794 ! > > It may not affect cloudstack directly as it is a vulnerability that > > affects bash, and allows the attacker to take control of the system > > running bash shell. > > > > -abhi >
