On Wed, Oct 01, 2014 at 07:04:19AM -0700, coderman wrote:
On 10/1/14, Georgi Guninski <guninski@guninski.com> wrote:
... Suspect this is just the top of the shellshock iceberg: http://www.theregister.co.uk/2014/09/30/openvpn_open_to_shellshock_researche... OpenVPN open to pre-auth (in certain configurations).
if you are using any of the up, down, ipchange, route-up, tls-verify, auth-user-pass-verify, client-connect, client-disconnect, or learn-address scripts with openvpn you are not operating in a security conscious manner.
to reiterate, in case anyone missed it: exposing a shell to untrusted inputs is insanity. this is true even if you manage to make your environment variable sanitization apparently robust.
OK :) Tell this to djb, qmail local delivery was allegedly affected ;) Cheers
Btw, people scared by HB probably will get close to clinically paranoid if the next HB allows "write anywhere" ;) { :; } ;)
part of my intent was to convey that heartbleed easily leads to arbitrary exec; even if not directly so ala shellshock.
so agree to disagree indeed; thus far heartbleed has medical pwnage and altcoin pilferage to credit, while shellshock is a farce of consumer crap and sloppy run yawn vulns; the mythical wide worm yet to materialize...
due time will tell, of course! :P
best regards,