nologin Protect Apache from Bash Exploit CVE-2014-6271 It was announced widely today (September 24, 2014) that it is possible to manipulate environment variables to execute approximately

@Sims2060225

It was announced widely today (September 24, 2014) that it is possible to manipulate environment variables to execute approximately arbitrary code on *nix systems where Bash is the default shell. seclists.org/oss-sec/2014/q3/650
Per the article above, CGI scripts are a major attack vector because CGI variables attached to a URL are presented to the Common Gateway Interface as environment variables, i.e. the server process (Apache in my case) puts the CGI parameters into the environment.

On my particular installation, Apache has a default shell of /sbin/nologin/ although the default system shell is /bin/bash.

Can such a system be exploited in the manner described? Alternatively, how can I test it?

(I know I need to replace the Bash shell ASAP; that turns out to be a big deal because of some customization.)

(If this should be migrated to ServerFault, please do so; I put it here because the question is specific to web server programs, and especially Apache.)

Edit: Not the answer, but it may help others; it looks like disabling mod_cgi will mitigate the problem, at least somewhat. securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

10.01% popularity Vote Up Vote Down

: Rank Ordered List of Words on a Web Page? I want (for purposes of SEO) to read a web page URL using some tool and get back the text only (no markup) words on that page, in rank order,

@Sims2060225

Posted in: #Seo

1 Comments

: Passing Arabic values in parameters results in % spaces I have built an .htaccess clean URL, this part works perfect in my .htaccess: RewriteCond %{THE_REQUEST} /road.phps [NC] RewriteRule . نقفورالثانيفوكاس/

@Sims2060225

Posted in: #Htaccess #Php #UrlEncoding

1 Comments

: How to deal with users passwords on website re-design? I have an old Drupal 6 website with about 1000 active users and I want to replace it with new OpenCart 1.5 installation. How to find

@Sims2060225

Posted in: #Password #WebDevelopment

1 Comments

: .htaccess rewrite rule domain alias doesn't work I have a site called: www.example.com this is the main domain. Now I have a Alias: www.example2.com. I want that example2.com will be forwarded

@Sims2060225

Posted in: #Htaccess #ModRewrite #MultipleDomains #UrlRewriting

1 Comments

Login to post a comment!

1 Comments

Sorted by latest first Latest Oldest Best

@Heady270

Specifying /sbin/nologin as the login shell for the Apache user does not prevent Apache from launching bash. It only prevents logins with the user that is meant to only run the webserver.

You might be interested in How do I secure Apache against the Bash Shellshock vulnerability? from the security StackExchange site. It suggests some workarounds like running apache in a chroot environment with a patched version of bash. Even if you can't replace bash everywhere, you might be able to do so for Apache.

10% popularity Vote Up Vote Down

Feed

: Will /sbin/nologin Protect Apache from Bash Exploit CVE-2014-6271 It was announced widely today (September 24, 2014) that it is possible to manipulate environment variables to execute approximately

More posts by @Sims2060225

: Rank Ordered List of Words on a Web Page? I want (for purposes of SEO) to read a web page URL using some tool and get back the text only (no markup) words on that page, in rank order,

: Passing Arabic values in parameters results in % spaces I have built an .htaccess clean URL, this part works perfect in my .htaccess: RewriteCond %{THE_REQUEST} /road.phps [NC] RewriteRule . نقفورالثانيفوكاس/

: How to deal with users passwords on website re-design? I have an old Drupal 6 website with about 1000 active users and I want to replace it with new OpenCart 1.5 installation. How to find

: .htaccess rewrite rule domain alias doesn't work I have a site called: www.example.com this is the main domain. Now I have a Alias: www.example2.com. I want that example2.com will be forwarded

Login to post a comment!

1 Comments

Back to top | Use Dark Theme