Comment Re:not supposed to be on the web! (Score 1) 329
You seem to be missing the point.
No, the vast majority of professional web stacks don't use bash for anything at all. No serious web host has CGI's that start with #!/bin/sh.
But that's not the end of the vulnerability. Bash will trigger its bug whenever its run. It doesn't need to be the CGI handler. It just needs to be run. Loads of web shops use Perl or PHP. How many of them have written their code so that it always uses the array-form of system() in Perl or things like proc_open() in PHP? How many people have written code that uses system() or backticks or shell_exec() or its equivalent? If you have, then there's a good chance you've just invoked bash in your web environment. If you're running through any sort of CGI environment, then you're vulnerable.