You tested bash. All 3 shells are behaving correctly by passing the env variable to the bash command you are running. the bash command you are running is behaving incorrectly by parsing the variable as a function.
To test ksh/csh, you need to run a different command. On 2014 Sep 29 (Mon) at 03:53:58 -0700 (-0700), Bogdan Andu wrote: :Hello list, : :the bug in bash shell discovered last day also seems to be present in ksh and csh. ksh is known to be the default shell in OpenBSD. : :the following piece of shell code executes succesffuly on both ksh and csh (besides bash of course): :ksh: :$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test" :Bash is vulnerable! :Bash Test : :csh: :% env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test" :Bash is vulnerable! :Bash Test : : :bash: :$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test" :Bash is vulnerable! :Bash Test : :all platforms seem to be affected 5.2, 5.3, 5.4, 5.5 - amd64 : : :I wonder what it is to be done to circumvent any potential security risc for people who call shell script code from cgi scripts for example. : : :Cheers, : :/Bogdan : -- Help fight continental drift.