Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process,
Which is the case on most Apache Web server configs: the client has full control over the HTTP_REFERER and HTTP_USER_AGENT variables... And the exploit in question works with any environment variable, including those 2.
Well, starting from here, you are vulnerable as soon as:
- You have a CGI script written as a #!/bin/bash script on your system
- You have