0

I found this test here for the Shellshock vulnerability follow-up CVE-2014-7169 , which is basicaly doing:

echo `env X='() { (a)=>\' sh -c "echo '[Vulnerability CVE-2014-7169 Detected]'" 2> /dev/null; cat echo 2> /dev/null`

Is this the correct way to test the vulnerability? And why does it involve sh and not bash?

My default shell is bash on one server:

ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Okt 18  2013 /bin/sh -> bash

and dash on another, where the test is also positive.

(if that's a problem, would it cause problems if I changed the default shell??)

rubo77
  • 2,370
  • 10
  • 26
  • 49

0 Answers0