Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×

Comment Re:Only CGI scripts affected? (Score 1) 399

Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process,

Which is the case on most Apache Web server configs: the client has full control over the HTTP_REFERER and HTTP_USER_AGENT variables... And the exploit in question works with any environment variable, including those 2.

Well, starting from here, you are vulnerable as soon as:

  1. You have a CGI script written as a #!/bin/bash script on your system
  1. You have /bin/sh symlinked to /bin/bash (used to be common in many Linux distribution), so as soon as a script calls system(), /bin/bash gets executed, along with the scripts full environment...

Comment Re:Really? Using bash for CGI? (Score 2) 399

The problem affects any CGI that *calls* bash, which means any call to system() in any language is going to cause a problem.

Nowadays, on most systems, /bin/sh is a proper Bourne Shell (either ash or dash), and no longer bash. So system() should no longer be an issue, but explicitly calling bash still would be...

Comment Re:Full Disclosure can be found on oss-security... (Score 1) 399

Just ran pacman -Syu

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Good. And now on to the next level:

env X='() { (a)=>\' bash -c "echo /usr/bin/id"; cat echo

Comment Re:Wrong type of machine for Dremel (Score 1) 105

Doesn't all this depend on the software? On a milling machine intended for the end user, the software could know about some of these constraints, and automatically reduce the speed to safe levels where needed. And also, this iModela machine works with soft materials (plastics, woods), not steel, which (probably) means it's not quite as likely to destroy its bits if mis-driven.

Comment Re:What is a customer? (Score 1) 290

The court, not being stupid, will probably send a few "canary" emails.

The court, while certainly not stupid, is very probably lazy. And won't continue bothering google out of its own initiative once a "settlement" is reached.

It will take a continued action by the consumer watchdog organization to keep the court interested, but it's a very fine line to walk between "keeping the court interested" and "not annoy the court by pestering it too much"

Comment Re:What is a customer? (Score 1) 290

If Google decides to discontinue all Google services in Germany as a result, would that really be a "win" for the German consumer?

More likely outcome is that they change the auto-reply text of the mail to "thank you for your valuable feedback", and then still continue to ignore it. The customer will be none-the-wiser, and unable to prove that feedback gets ignored.

Slashdot Top Deals

Ya'll hear about the geometer who went to the beach to catch some rays and became a tangent ?

Working...