Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://mail.python.org/pipermail/python-dev/2014-September/136476.html below:

[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

• Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 26 Sep 2014 09:40:17 +1000
Steven D'Aprano <steve at pearwood.info> wrote:
> Perhaps I'm missing something, but aren't there easier ways to attack 
> os.system than the bash env vulnerability? If I'm accepting and running 
> arbitrary strings from an untrusted user, there's no need for them to go 
> to the trouble of feeding me:
> 
> "env x='() { :;}; echo gotcha'  bash -c 'echo do something useful'"
> 
> when they can just feed me:
> 
> "echo gotcha"
> 
> In other words, os.system is *already* an attack vector, unless you only 
> use it with trusted strings. I don't think the bash env vulnerability 
> adds to the attack surface.
> 
> Have I missed something?

The part where the attack payload is passed through the environment, not
through hypothetical user-injected command-line arguments.

Regards

Antoine.

• Previous message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Next message: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4