On 25 Sep 2014, at 14:52, gvim wrote:
I built a site several years ago with CGI::Application which runs in
cgi, not psgi mode. Is it likely to be vulnerable to the recent bash
security hole which I understand revolves around setting ENV
variables?
From what I gather, there is a good chance that your HTTP server will
pass the environment variables through bash before the shebang line
triggers perl so you could be vulnerable.
Test your installed version of bash with
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
Look for the word *vulnerable* in the output and upgrade it if it is.
I found [Everything you need to know about the Shellshock Bash bug][1]
to be interesting reading.
[1]:
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
--
David Dorward
http://dorward.co.uk/
