The Web Design Group

... Making the Web accessible to all.

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Shellshock vulnerability
jimlongo
post Sep 27 2014, 01:05 PM
Post #1


This is My Life
*******

Group: Members
Posts: 1,128
Joined: 24-August 06
From: t-dot
Member No.: 16



If you haven't heard, there is a new bug that may be very dangerous.
It is a vulnerability in bash (and sh).
You can start here to get information and if you can SSH into your server you can run some checks that are on that page to see if your server is vulnerable.

And then figure out how to patch it, or in the case of a shared server, get on your providers case to fix it immediately.

Some of the sensational news articles I've read take this threat to pretty catastrophic levels . . . I'm not convinced of that but certainly any nix webservers need to be patched.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Sep 27 2014, 02:29 PM
Post #2


.
********

Group: WDG Moderators
Posts: 9,630
Joined: 10-August 06
Member No.: 7



QUOTE(jimlongo @ Sep 27 2014, 08:05 PM) *

if you can SSH into your server you can run some checks that are on that page to see if your server is vulnerable.

On http://en.wikipedia.org/wiki/Shellshock_(software_bug) there are some other examples, but they begin with a $ sign like this:

CODE
$ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

--what is the $ sign used for? unsure.gif
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
jimlongo
post Sep 27 2014, 03:49 PM
Post #3


This is My Life
*******

Group: Members
Posts: 1,128
Joined: 24-August 06
From: t-dot
Member No.: 16



The $ is just the generic prompt, which usually follows your username. Sometime you will see a # symbol instead.
You omit it and just enter the command. This is one example.

CODE

env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'


here is a later one
CODE

X='() { (a)=>\' bash -c "echo date"


This post has been edited by jimlongo: Sep 27 2014, 03:50 PM
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Darin McGrew
post Sep 28 2014, 12:34 AM
Post #4


WDG Member
********

Group: Root Admin
Posts: 8,365
Joined: 4-August 06
From: Mountain View, CA
Member No.: 3



Yes, the $ is the default command prompt for a normal user. The # is the default command prompt for the root/superuser account. When they occur at the beginning of a command line, they are not really part of the command and should be ignored.

But if they occur elsewhere, then they have other meanings. For example, $ is used to expand variable values. So in the case of

$ echo $USER

The first $ is the command prompt, and the second $ expands the value of the USER variable (which holds the username of the current user account).
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
jimlongo
post Sep 28 2014, 11:11 AM
Post #5


This is My Life
*******

Group: Members
Posts: 1,128
Joined: 24-August 06
From: t-dot
Member No.: 16



Yes, it's a little confusing sometimes (coming from other languages) in that variables are declared without the $ but require it when it's used.

VAR=hello
echo $VAR
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post

Reply to this topicStart new topic
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:

 



- Lo-Fi Version Time is now: 29th March 2024 - 09:00 AM