You tested bash. All 3 shells are behaving correctly by passing the env
variable to the bash command you are running. the bash command you are
running is behaving incorrectly by parsing the variable as a function.
To test ksh/csh, you need to run a different command.
On 2014 Sep 29 (Mon) at 03:53:58 -0700 (-0700), Bogdan Andu wrote:
:Hello list,
:
:the bug in bash shell discovered last day also seems to be present in ksh and
csh. ksh is known to be the default shell in OpenBSD.
:
:the following piece of shell code executes succesffuly on both ksh and csh
(besides bash of course):
:ksh:
:$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
:Bash is vulnerable!
:Bash Test
:
:csh:
:% env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
:Bash is vulnerable!
:Bash Test
:
:
:bash:
:$ env VAR='() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
:Bash is vulnerable!
:Bash Test
:
:all platforms seem to be affected 5.2, 5.3, 5.4, 5.5 - amd64
:
:
:I wonder what it is to be done to circumvent any potential security risc for
people who call shell script code from cgi scripts for example.
:
:
:Cheers,
:
:/Bogdan
:
--
Help fight continental drift.
