[Twisted-Python] Security Advisory: bash remote code execution
Glyph Lefkowitz
glyph at twistedmatrix.com
Thu Sep 25 13:54:29 MDT 2014
On Sep 25, 2014, at 8:09 AM, Matt Haggard <haggardii at gmail.com> wrote:
> >
> > Any web server which is serving traffic over a CGI or CGI-like interface
> > (including WSGI) should upgrade its version of Bash immediately.
> >
>
> I feel ignorant, but I'm confused about how WSGI is affected (and have failed to exploit my WSGI app). AFAICT from reading the code, Twisted's WSGIResource doesn't invoke a shell. I see that it has an `environ` attribute that gets filled with user-provided information, but I don't see how that makes it into a shell's environment.
As Alex's post said, this vulnerability does not affect Twisted directly.
The point is that most people deploying web services are doing so in a UNIX environment, and in so doing they are probably invoking scripts of various kinds, or executables which may have been replaced with wrapper shell-scripts. It's hard to audit for environment variables containing attacker-controlled data, and this is the sort of thing we've all been trained to expect is safe, if they're variables in our own "namespace", so it's possible that any number of 3rd-party tools you are using with Twisted are vulnerable in surprising ways.
So everybody should just upgrade :).
-glyph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20140925/d6fba935/attachment-0002.html>
More information about the Twisted-Python
mailing list