On 2014-09-26, Cliff Pratt <enkiduonthenet@xxxxxxxxx> wrote:
> Take the case of an Apache Bash CGI. This will have been loaded when Apache
> started, so Apache will have to be restarted to get the new one.
Based on my (admittedly limited) testing I do not believe this is the
case. Apache exec()'s the interpreter on each request; it doesn't save
the interpreter into its memory space, so each subsequent call should
re-run the interpreter. That's one of the big reasons mod_perl and
their ilk are popular: they do put the interpreter into httpd's memory,
so the interpreter doesn't have to be called on each invocation.
I don't currently have a vulnerable interpreter available on a web
server, but on the servers where I have an updated bash, the
"vulnerable" message that's produced by the example code doesn't show
up in a bash CGI on a web server I haven't restarted.
# example code
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
--keith
--
kkeller@xxxxxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
