On 2014-09-26, John R Pierce <pierce@xxxxxxxxxxxx> wrote: >> On Fri, September 26, 2014 5:13 pm, John R Pierce wrote: >>> > >>> >66.186.2.172 - - [26/Sep/2014:00:49:29 -0700] "GET /cgi-bin/test.sh > > no. mod_cgi launches /bin/sh and passes it the command, even if the > file doesn't exist. and /bin/sh is linked to bash Wouldn't you need a particular Apache configuration for mod_cgi to launch /bin/sh? e.g., /cgi-bin/ configured as a ScriptAlias, and/or *.sh configured with an appropriate handler? Granted that's likely a common configuration, but a site without a configured /cgi-bin/ should be immune to this attack even if their /bin/sh is a symlink to /bin/bash. --keith -- kkeller@xxxxxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
Re: firefox: annoyance
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: firefox: annoyance
- From: Keith Keller <kkeller@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 26 Sep 2014 18:05:50 -0700
- Delivered-to: centos@xxxxxxxxxx
- User-agent: slrn/0.9.9p1 (Linux)
- Follow-Ups:
- Package Bash Redhat 4
- From: Eduardo Augusto Pinto
- Package Bash Redhat 4
- References:
- Re: firefox: annoyance
- From: James B. Byrne
- Re: firefox: annoyance
- From: Valeri Galtsev
- Re: firefox: annoyance
- From: Always Learning
- Re: firefox: annoyance
- From: John R Pierce
- Re: firefox: annoyance
- From: Valeri Galtsev
- Re: firefox: annoyance
- From: John R Pierce
- Re: firefox: annoyance
- Prev by Date: Re: firefox: annoyance
- Next by Date: Re: firefox: annoyance
- Previous by thread: Re: firefox: annoyance
- Next by thread: Package Bash Redhat 4
- Index(es):
 |