On 2014-09-26, Cliff Pratt <enkiduonthenet at gmail.com> wrote: > Take the case of an Apache Bash CGI. This will have been loaded when Apache > started, so Apache will have to be restarted to get the new one. Based on my (admittedly limited) testing I do not believe this is the case. Apache exec()'s the interpreter on each request; it doesn't save the interpreter into its memory space, so each subsequent call should re-run the interpreter. That's one of the big reasons mod_perl and their ilk are popular: they do put the interpreter into httpd's memory, so the interpreter doesn't have to be called on each invocation. I don't currently have a vulnerable interpreter available on a web server, but on the servers where I have an updated bash, the "vulnerable" message that's produced by the example code doesn't show up in a bash CGI on a web server I haven't restarted. # example code env x='() { :;}; echo vulnerable' bash -c "echo this is a test" --keith -- kkeller at wombat.san-francisco.ca.us