On Thu, Sep 25, 2014 at 11:51 AM, Les Mikesell lesmikesell@gmail.com wrote:
On Wed, Sep 24, 2014 at 4:50 PM, Nico Kadel-Garcia nkadel@gmail.com wrote:
Given the mod_cgi effects, especially for Nagios and other servers, I'd urge caution and stage environment testing before mass deployment.
What is likely to break? And what things are likely to allow the attack? That is, besides ssh command restrictions, where can you set arbitrary env variables where you wouldn't have had access to execute a shell command directly.
It's very difficult to predict what will break in some weird flipping environments. The canonical cartoon about this is http://xkcd.com/1172/ . As I mentioned, Nagios and its use of 'mod_cgi' may be at risk.
Thinking about it, the git CentOS repository could possibly be vulnerable, depending on just how the git credentials are managed there I'd urge a check.