[CentOS] firefox: annoyance

Sat Sep 27 01:05:50 UTC 2014
Keith Keller <kkeller at wombat.san-francisco.ca.us>

On 2014-09-26, John R Pierce <pierce at hogranch.com> wrote:
>> On Fri, September 26, 2014 5:13 pm, John R Pierce wrote:
>>> >
>>> >66.186.2.172 - - [26/Sep/2014:00:49:29 -0700] "GET /cgi-bin/test.sh
>
> no.  mod_cgi launches /bin/sh and passes it the command,  even if the 
> file doesn't exist.   and  /bin/sh is linked to bash

Wouldn't you need a particular Apache configuration for mod_cgi to
launch /bin/sh?  e.g., /cgi-bin/ configured as a ScriptAlias, and/or
*.sh configured with an appropriate handler?  Granted that's likely a
common configuration, but a site without a configured /cgi-bin/ should
be immune to this attack even if their /bin/sh is a symlink to
/bin/bash.

--keith

-- 
kkeller at wombat.san-francisco.ca.us