× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. September 2014

Re: "Shellshock" BASH vulnerability

Wilson.

From what little i've read it is like you say but with the caveat that
there are lots of things in the *ix world that use bash in one way or
another and one of the easiests ways to trigger this vulnerability is with
CGI scripts which end up being parsed by bash (or was it that they use
bash? i can't remember). The point is that it's not only "getting to the
shell" that's a problem is "anything that uses bash is at risk".

Best Regards,

Roberto

On Fri, Sep 26, 2014 at 3:40 PM, Wilson, Jonathan <piercing_male@xxxxxxxxxxx
wrote:

On Thu, 2014-09-25 at 20:33 +0000, Sue Baker wrote:
If you have added BASH to your IBM i in PASE, please check the
NIST CVE database for information about a newly discovered
vulnerability and then check with your source for BASH to obtain
a fix if necessary.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271


I may be wrong, but... from what I can tell on what I've read so far, to
use the exploit you need access to bash, so if a cracker can't get to
bash then they can't use the exploit.

Now there might be applications that use bash that are web facing, so
some exploit of the application would be needed to be able to exploit
the bash exploit.

So, unless I'm reading it all wrong (a distinct possibility!), a user
would have needed to gain access to bash to use the bash exploit... If
they have got as far as bash I would have thought a way of exploiting it
would be the least of your worries?

Jon

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.