CGI::Application and recent bash security hole

Bill Moseley moseley at
Thu Sep 25 21:33:57 BST 2014

I did a very quick test today using mod_perl running as my own user.
Maybe you could try something similar.

I'm running on CentOS where it is vulnerable:

$ env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
this is a test

In my mod_perl script I added:

system( '/bin/bash -c env >> /home/bill/env.bash' );
system( '/bin/env >> /home/bill/env.env' );

I also included a "print STDERR Dumper \%ENV;" in the mod_perl script.  I'm
using "SetHandler perl-script" to build the CGI environment.

Dumping \%ENV I could see all the CGI environment variables in the Apache
log, but env.out and env.bash didn't contain any of the CGI environment

I also added a header to my request to attempt to use the exploit:

$req->header( Referer => '() { :; }; echo oops >> /home/bill/oops.txt' );

And that file didn't show up, either.

I'm not quite clear where (or sure that) the environment is getting

On Thu, Sep 25, 2014 at 9:59 AM, Sue Spence <virtuallysue at> wrote:

> Is your system shell bash? Does your application have any code which shells
> out to that (system(), ``, qx() etc)?  If so, then probably yes.
> On 25 September 2014 14:52, gvim <gvimrc at> wrote:
> > I built a site several years ago with CGI::Application which runs in cgi,
> > not psgi mode. Is it likely to be vulnerable to the recent bash security
> > hole which I understand revolves around setting ENV variables?
> >
> > gvim
> >

Bill Moseley
moseley at

More information about the mailing list