[dns-operations] ShellShock exploit through the DNS

Paul Vixie paul at redbarn.org
Tue Oct 14 13:41:47 UTC 2014

> Tony Finch <mailto:dot at dotat.at>
> Tuesday, October 14, 2014 5:31 AM
> A CGI script invoked by Apache httpd with HostnameLookups On
> (the default is Off, a safer setting is Double)
thanks, that makes sense. the security advisory posted here did not
mention any real world examples. i agree that apache with
HostnameLookups turned on, on redhat or apple systems where /bin/sh is
bash, is a real world example.

apparently the apache team believed as i did that no shell would ever
eval() its environment variables no matter with or without input
checking. the bash team really violated the principle of least
astonishment with function inheritance.

Paul Vixie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141014/076dd841/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141014/076dd841/attachment.jpg>

More information about the dns-operations mailing list