[btown]

From one of the comments:

> The question isn't whether a CGI is written in bash, but if it calls out to bash no matter how indirectly. Lots of things use the system() libc function, so if /bin/sh is bash it's game over.

Is this true? Which systems are vulnerable to this by default?

[hackcasual]

I think you need that + the ability to add anything to an environment variable. Not sure how easy that is.

edit: reading this looks like its exploiting CGI scripts, presumeably through the host header

[fabulist]

Setting an environment variable is often pretty easy, but the Host: header is the wrong way to go. The webserver will usually ignore a bad Host: header. User-agent: is much more availing.

[bodyfour]

CGI will typically pass most any header along as a HTTP_headername environment variable (HTTP_HOST is just one example) I'd expect most malicious exploiters to use a non-standard header, since User-Agent's value is often logged.