> From: Brandon Allbery [mailto:[email protected]] > > I haven't looked to see if Apple's "Web Sharing" involves any CGI scripts. If > it > does, then Web Sharing is vulnerable.
If you have any web server that will execute arbitrary code uploaded by a client, that would be vulnerable, but then again, if that's the case, the attacker doesn't need the bash bug anymore do they? The point of this bash bug is that it will execute code it's not supposed to execute, if you can both manipulate the environment, *and* get bash to execute something else. This vulnerability is not sufficient, all by itself, to compromise anybody's system. In order to use it as part of an attack, the attacker needs to chain multiple vulnerabilities together. Unlike heartbleed - which was vulnerable to undetected remote attackers having no other knowledge of any vulnerabilities on your system - shellshocker can't be exploited remotely without some other bug having compromised the system first. The reason people are calling this "worse than heartbleed" is because (a) sensationalism reporting, and (b) the number of systems with bash is higher than the number of systems with openssl. But that number alone is misleading, because shellshocker is not as easily exploited. _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
