CVE-2014-6271 : Remote code execution through bash

mex nginx-forum at nginx.us
Thu Sep 25 07:27:19 UTC 2014


foo ...

http://www.openwall.com/lists/oss-security/2014/09/24/17

"Note that on Linux systems where /bin/sh is symlinked to /bin/bash,
any popen() / system() calls from within languages such as PHP would
be of concern due to the ability to control HTTP_* in the env.

/mz"

$ ls -la /bin/sh
lrwxrwxrwx 1 root root 4 Mar  1  2012 /bin/sh -> dash

phew ':)

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,253532,253537#msg-253537



More information about the nginx mailing list