

As a small-time dev do I have to worry about shellshock? - fifthesteight

I have an extremely small team, lots of projects and no resources or capacity to spend on securing our web applications. I host with one of the big guys, we don&#x27;t run our servers from our shop or anything like that.<p>Without the capacity to spare man-hours battening down the hatches- how big of a deal is being on top of this for a run-of-the-mill dev team with low-level, no-big-deal development, hosted elsewhere?<p>My main concern is unwittingly leaving clients servers&#x2F;applications vulnerable and them falling under nefarious control...
======
jestar_jokin
It's a big deal, especially for small dev shops, as they're less likely to
have people available to plug security holes or monitor servers for
vulnerabilities/compromises. If you're using shared hosting, probably not an
issue. If you're using a VPS, PS, or other service where you are expected to
maintain the server, well...

For some systems, it's just a matter of logging in to the server and running a
single command line, like "sudo yum update bash" (replace "yum" with apt-get,
or another package manager).

You can leave it, but know that you're leaving your clients vulnerable to
things such as:

\- stolen data \- data loss \- compromised/corrupted/deleted backups of data,
code \- site disruption \- botnet participation \- illegal file dump/trading
space \- unremovable rootkits

Having said that, I believe you should be safe if you don't use CGI to run
your apps.

The earlier you plug the holes, the better.

~~~
fifthesteight
Thank you as well. I appreciate you taking the time to answer.

We don't run cgi scripts, and we seem to be predominantly in the "probably
safe" category. That said, this is the reaponse I expected. I've applied some
patching on our machines (read: that first one that didnt fix a lot of
vulerabilities) and I'm sure the other guys have, too.

It has just been one of those launch months where even pooping feels like
burning time and money.

Seems like somebody is going to be changing gears today. Thank you.

------
lastofus
Someone is responsible for maintaining/patching your servers. Either you are,
or you are paying someone to do it.

If you are paying a company to do it, send 'em an email. If you are
responsible, look into what it takes to install a bash upgrade. I was able to
patch my own Ubuntu VMs in about shell 3 commands manually through SSH (yay
apt-get). Took all of 10 mins reading up on documentation, logging in, hitting
yes to prompts...

In all seriousness, the patching process shouldn't be too much more involved
than patching your desktop OS for a small shop not worried about 100s of
servers, load balancers/failover mechanisms, SLAs, etc...

~~~
fifthesteight
Thank you, too. The patching process wasnt as much my concern as the other
widespread, clever exploits that really experienced bash dudes are finding.

Like we discussed, my concern is client sites hosted on a server I pay to be
maintained... I did email the provider, and at the time was satisfied with
their response so thats good.

So I really apprecuate all the input. I feel okay, though some funny behavior
on old, stable sites makes me worry.

Thank you for your time.

I give myself a C- and will reevaluate.p

------
sippndipp
You should test your sites with these two tools:

[http://www.shellshocktest.com/](http://www.shellshocktest.com/)

and

[http://shellshock.brandonpotter.com/](http://shellshock.brandonpotter.com/)

There is a well maintained guide at Digital Ocean that explains the nitty
gritty details:

[https://www.digitalocean.com/community/tutorials/how-to-
prot...](https://www.digitalocean.com/community/tutorials/how-to-protect-your-
server-against-the-shellshock-bash-vulnerability)

If a server is vulnerable there is a great guide that helps you to deal even
with old systems:

[https://dmsimard.com/2014/09/25/the-bash-
cve-2014-6271-shell...](https://dmsimard.com/2014/09/25/the-bash-
cve-2014-6271-shellshock-vulnerability/)

~~~
fifthesteight
Thank you, this is very helpful- though I was hoping to be cheap and lazy.

