Re: firefox: annoyance

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Fri, September 26, 2014 6:05 pm, John R Pierce wrote:
> On 9/26/2014 3:36 PM, Valeri Galtsev wrote:
>> On Fri, September 26, 2014 5:13 pm, John R Pierce wrote:
>>> >On 9/26/2014 2:51 PM, Always Learning wrote:
>>>> >>Probably all Windoze
>>> >
>>> >linux apache web servers with the bash exploit are getting owned en
>>> >masse today.     my (patched) internet web server has logged 100s and
>>> >100s of attempts like...
>>> >
>>> >66.186.2.172 - - [26/Sep/2014:00:49:29 -0700] "GET /cgi-bin/test.sh
>> I feel really stupid, but I have to ask. If your server wasn't patched,
>> it
>> only would have owned by the above if that file exists, is executable by
>> apache and it indeed invokes bash (say, has #!/bin/bash or whatever bash
>> location is as first line), right?
>
> no.  mod_cgi launches /bin/sh and passes it the command,  even if the
> file doesn't exist.   and  /bin/sh is linked to bash
>

Apache passes it to mod_cgi to have that discover that referenced file
doesn't exist?!
Did I too program like that when I was programmer?

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux