Bash environment variable code injection over HTTP
Added: 09/26/2014CVE: CVE-2014-6271
BID: 70103
OSVDB: 112004
Background
GNU Bash (Bourne Again SHell) is a command shell commonly used on Linux and Unix systems.Problem
The Bash shell executes commands injected after function definitions contained in environment variables. This could be used by a remote attacker to cause arbitrary commands to execute if a web server hosts programs which invoke the Bash shell.Resolution
Apply updated Bash packages from the Linux or Unix vendor.References
https://www.us-cert.gov/ncas/alerts/TA14-268ALimitations
This exploit requires the path to a web program which invokes the Bash shell. This attack vector may not exist on all systems with affected versions of Bash, and other attack vectors may exist which are not covered by this exploit.Back to exploit index