Only mysql root and have a bash shell.
I'm not entirely sure if this reduces the possibility of attacks against a web server through this "feature", but I think so.
No, that is entirely irrelevant.
The threat via a web server only exists if the server has cgi-scripts, as the interface between the web server and CGI is via environment variables, the content of which is under the control of the attacker - e.g. HTTP_USER_AGENT is set by the User_Agent header in the http request.
Any CGI script written in bash (or shell) is immediately vulnerable. But most systems don't have those.
Some CGI scripts written in perl and python will be vulnerable and some not. If they don't call any sub-commands, then they are not vulnerable. If they call subcommands directly, without invoking the shell, then they are OK.
So this in python is OK:
from subprocess import call
call(["ls", "-l"])
and in perl this is OK:
system("ls", "-l");
But scripts containing any of these will be exploitable:
os.system("ls -l")
my $rc = system("ls -l")
my $rc = `ls -l`;
The first of those is python, the other two perl. They are all exploitable because bash is invoked to parse the command line, and the environment variables set by apache as part of the CGI environment still exist.
The other area where SME server might be vulnerable until bash is updated is via dhclient. If a WAN connection exists, and DHCP is used for IP allocation, then the system could be compromised via a malicious DHCP server on the WAN network segment (e.g. the ISP's network segment connecting you to them).
10 Replies
3044 Views