:Application and recent bash security hole
David Dorward
david at dorward.me.uk
Thu Sep 25 18:20:21 BST 2014
On 25 Sep 2014, at 14:52, gvim wrote:
> I built a site several years ago with CGI::Application which runs in
> cgi, not psgi mode. Is it likely to be vulnerable to the recent bash
> security hole which I understand revolves around setting ENV
> variables?
From what I gather, there is a good chance that your HTTP server will
pass the environment variables through bash before the shebang line
triggers perl so you could be vulnerable.
Test your installed version of bash with
env x='() { :;}; echo vulnerable' bash -c 'echo hello'
Look for the word *vulnerable* in the output and upgrade it if it is.
I found [Everything you need to know about the Shellshock Bash bug][1]
to be interesting reading.
[1]:
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
--
David Dorward
http://dorward.co.uk/
More information about the london.pm
mailing list