On 10/1/14, Georgi Guninski <guninski@guninski.com> wrote:
... Suspect this is just the top of the shellshock iceberg: http://www.theregister.co.uk/2014/09/30/openvpn_open_to_shellshock_researche... OpenVPN open to pre-auth (in certain configurations).
if you are using any of the up, down, ipchange, route-up, tls-verify, auth-user-pass-verify, client-connect, client-disconnect, or learn-address scripts with openvpn you are not operating in a security conscious manner. to reiterate, in case anyone missed it: exposing a shell to untrusted inputs is insanity. this is true even if you manage to make your environment variable sanitization apparently robust.
Btw, people scared by HB probably will get close to clinically paranoid if the next HB allows "write anywhere" ;) { :; } ;)
part of my intent was to convey that heartbleed easily leads to arbitrary exec; even if not directly so ala shellshock. so agree to disagree indeed; thus far heartbleed has medical pwnage and altcoin pilferage to credit, while shellshock is a farce of consumer crap and sloppy run yawn vulns; the mythical wide worm yet to materialize... due time will tell, of course! :P best regards,