On 26 September 2014 10:26, Nikolaus Rath <Nikolaus@rath.org> wrote:
Wasn't there some web server that used to put query script variables
into the environment of the CGI script? Or am I confusing that with
PHP's evil register_globals?
CGI is just one avenue for attack.
There are other avenues. e.g. the ssh one, if I understand correctly, would allow setting any environment variable to any value.
In addition, if there are any setuid/setgid program, either in Debian or installed locally, that make external calls to bash, these would be vulnerable.
I thought sudo was suppose to be ok, sure doesn't look ok to me.