On 2014-09-26, Cliff Pratt enkiduonthenet@gmail.com wrote:
Take the case of an Apache Bash CGI. This will have been loaded when Apache started, so Apache will have to be restarted to get the new one.
Based on my (admittedly limited) testing I do not believe this is the case. Apache exec()'s the interpreter on each request; it doesn't save the interpreter into its memory space, so each subsequent call should re-run the interpreter. That's one of the big reasons mod_perl and their ilk are popular: they do put the interpreter into httpd's memory, so the interpreter doesn't have to be called on each invocation.
I don't currently have a vulnerable interpreter available on a web server, but on the servers where I have an updated bash, the "vulnerable" message that's produced by the example code doesn't show up in a bash CGI on a web server I haven't restarted.
# example code env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
--keith