Mitigating CVE-2014-6271 "shellshock" in lighttpd with mod_magnet

Quick braindump:

  • a remote code vulnerability (CVE-2014-6271) in bash has been disclosed
  • bash will parse any environment variable value which begins with () { as a function, and continue parsing and executing any shell commands it encounters
  • env x='() { :;}; echo vulnerable' bash -c "echo" will print “vulnerable” if your bash is vulnerable
  • lots of Internet facing services put strings from requests into environment variables
  • curl -A "() { :; }; touch /var/www/oh_hai_webroot" http://eg.your.webserver/cgi-bin/foo.cgi