you need to find a vulnerable site. CGI doesn't have to pass through bash. you need a site that opens a subshell for something. they aren't uncommon, but it's not every linux-CGI site.
On Fri, Sep 26, 2014 at 2:33 PM, Eli Billauer <e...@billauer.co.il> wrote: > Hi, > > I did > > # yum upgrade bash > > on Haifux' server, and it's off the hook. But I was also surprised that it > the attack failed even before that. > > Eli > > > On 26/09/14 12:39, guy keren wrote: > >> On 09/26/2014 12:30 PM, Eli Billauer wrote: >> >>> env x='() { :;}; echo vulnerable' bash -c 'echo This is a test' >>> >> >> you're too late - there's a (partial?) fix being distributed around... >> >> --guy >> _______________________________________________ >> Haifux mailing list >> Haifux@haifux.org >> http://haifux.org/mailman/listinfo/haifux >> >> > > -- > Web: http://www.billauer.co.il > > > _______________________________________________ > Haifux mailing list > Haifux@haifux.org > http://haifux.org/mailman/listinfo/haifux >
_______________________________________________ Haifux mailing list Haifux@haifux.org http://haifux.org/mailman/listinfo/haifux