Pages: < Back  1 [2]   Go Down
*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 16082
  • (◕˽ ◕ ✿)
    • View Profile
Logged
Re: Glad I don't have a Linux thingy
« Reply #20 on: September 28, 2014, 04:43:56 AM »
Also, I just noticed this wonderful piece of FUD in Arse Technica's article:

Quote from: http://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/
As a result, the attacker can run programs with the same level of access as the part of the system launching a bash shell. And in the case of a web server, that's practically the same level of access as an administrator, giving the attacker a way to gain full control of the targeted system.

No. It doesn't. If you run your web server as root, you have much more serious problems to deal with than "shellshock". I find it funny that Parsifal had already mentioned this before we saw the article:

Quote from: Parsifal on September 26, 2014, 04:13:35 PM
Best case scenario, they get in via a web server (you don't run your web server as root, right?)
Read the FAQ before asking your question - chances are we already addressed it.
Follow the Flat Earth Society on Twitter and Facebook!

Quote from: Rama Set on April 07, 2023, 06:16:50 PM
If we are not speculating then we must assume
*

Offline xasop

  • Administrator
  • *****
  • Posts: 9777
  • Professional computer somebody
    • View Profile
Logged
Re: Glad I don't have a Linux thingy
« Reply #21 on: September 28, 2014, 05:20:48 AM »
Quote from: pizaaplanet on September 28, 2014, 03:44:49 AM
We've discovered a new category of potential bugs in shells. Yes, you're gonna see a couple of them. If you're going to think they're one and the same bug, chances are you have more serious security problems than bash.

Arguably, the bug is that function imports are a thing. The idea that you can have code automagically imported from data, especially data as unpredictable as the environment, is just wrong, and I'm not aware of anybody ever actually making use of it. The correct fix would be to remove that functionality entirely; yes, it's an API change, but it's such a broken API that this is one of the very rare cases where that would be appropriate.
Quote from: ChrisTP on May 28, 2019, 11:45:56 PM
when you try to mock anyone while also running the flat earth society. Lol
*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 16082
  • (◕˽ ◕ ✿)
    • View Profile
Logged
Re: Glad I don't have a Linux thingy
« Reply #22 on: September 28, 2014, 05:31:56 AM »
Quote from: Parsifal on September 28, 2014, 05:20:48 AM
Arguably, the bug is that function imports are a thing. The idea that you can have code automagically imported from data, especially data as unpredictable as the environment, is just wrong, and I'm not aware of anybody ever actually making use of it. The correct fix would be to remove that functionality entirely; yes, it's an API change, but it's such a broken API that this is one of the very rare cases where that would be appropriate.
See, I'm in two minds about that. I'm also unaware of anyone actually using this functionality, but I'm always wary of removing something that's already there. Because of that, I wouldn't necessarily call it "the correct fix", but rather "a very reasonable trade-off".
Read the FAQ before asking your question - chances are we already addressed it.
Follow the Flat Earth Society on Twitter and Facebook!

Quote from: Rama Set on April 07, 2023, 06:16:50 PM
If we are not speculating then we must assume
Pages: < Back  1 [2]   Go Up