On 29 Sep 2014, at 19:41, Pete Houston wrote: > It is not a flaw in apache. Apache is simply a network-enabled channel > through which exploitative payloads may be delivered to unpatched > installations of bash (one of many such channels).
Yep. mod_taint (or any other Apache-based solution) is secondary protection. Updating bash must be your primary defence. Your system may not be vulnerable in the first place. If bash isn't your default shell then the chances of it getting invoked by anything running under apache are very remote. Check #!/bin/sh: if it's a not link to bash then the chances of bash ever being reachable through apache are very remote unless/until your attacker already owns you. If you want to be properly paranoid, run apache in a VM or chroot jail with no bash at all! -- Nick Kew --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
