:Application and recent bash security hole

David Dorward david at dorward.me.uk
Thu Sep 25 18:20:21 BST 2014

On 25 Sep 2014, at 14:52, gvim wrote:

> I built a site several years ago with CGI::Application which runs in 
> cgi, not psgi mode. Is it likely to be vulnerable to the recent bash 
> security hole which I understand revolves around setting ENV 
> variables?

 From what I gather, there is a good chance that your HTTP server will 
pass the environment variables through bash before the shebang line 
triggers perl so you could be vulnerable.

Test your installed version of bash with

     env x='() { :;}; echo vulnerable' bash -c 'echo hello'

Look for the word *vulnerable* in the output and upgrade it if it is.

I found [Everything you need to know about the Shellshock Bash bug][1] 
to be interesting reading.


David Dorward

More information about the london.pm mailing list