Testing in a bash shell on one of my NetWare boxes, I’ve been pleasantly
surprised, though remain unconvinced that the older bash port is entirely
free of vulnerability, here.
Yes, I do have a couple SSL sites running on NetWare Apache (2.2.27), though
I don’t believe that anyone is using mod_cgi or mod_cgid.
(BTW, if anyone needs patched versions of bash 3.0.27 for CentOS 4.8, I have
32 and 64-bit binary rpms on my FTP server: ftp.2rosenthals.com/pub/CentOS/4.8 .)
Just curious as to what the consensus is regarding NetWare with this thing.
The concern with the bash shell is that services MAY be setup to run as
users which use those shells, and therefore be able to have things
injected into those shells. Nothing on NetWare uses bash by default,
because NetWare is not anything like Linux/Unix in its use of shells.
Sure, you can load bash for fun and profit on NetWare, but unless you
explicitly request it the bash.nlm file is never used. On NetWare I do
not think it is even possible to have any normal non-Bash environment
variable somehow be exported/inherited into a bash shell, though I’ve
never tried.
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…
Apologies for the late reply, and thanks for the thoughts, which do
concur with mine. Still, I’m thinking that I might bounce this off of
Guenter (and I owe him an email, anyway, which is long overdue).
Cheers
–
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC www.2rosenthals.com