How worse is the shellshock bash bug than Heartbleed?
"Łukasz \"Cyber Killer\" Korpalski"
cyberkiller8 at gmail.com
Tue Sep 30 03:30:57 PDT 2014
W dniu 30.09.2014 o 11:55, Lodewijk andré de la porte pisze:
> Heartbleed was a memory leak that eventually, after carefully calculated
> exploiting, can lead to a remote root.
>
> Shellshock depends on a lot of environmental details, but is possible
> little more than a hard to reach shell with elevated permissions.
>
> I guess heartbleed was actually worse. Who runs webscripts and stuff in
> root? That's really foolhardy. But using OpenSSL ... We usually thought
> it good practice!
>
Agree, heartbleed was a bigger problem, though I think I know why so
many people panic because of this.
My theory is, with heartbleed most folks thought they were unaffected,
cause not many noob people run a webserver. But with shellshock they can
test this on their own machine, with just 1 line of code and see the
"vulnerable" message, so suddenly this is a big deal for them.
So, don't panic & stay cool, unless you have some badly configured
servers or have a habit of running everything on your workstation
without checking. But then you got bigger problems than this ;-).
--
Łukasz "Cyber Killer" Korpalski
mail: cyberkiller8 at gmail.com
xmpp: cyber_killer at jabster.pl
site: http://website.cybkil.cu.cc
gpgkey: 0x72511999 @ hkp://keys.gnupg.net
//When replying to my e-mail, kindly please
//write your message below the quoted text.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140930/9d0cfe44/attachment.sig>
More information about the Testlist
mailing list