[freakonom]

You know what would be super clever?

Discovering a case where wget shells out to bash while setting some env vars based on received headers. And then anonymously posting a supposed shellshock payload just begging to be downloaded with wget.

[eldelshell]

I just grep'ed the latest version of wget and didn't find any reference to system()

[antocv]

> wget shells out to bash

Why oh why would this ever happen?

This hole bug is way overblown. Not every small program on the planet "shells out to bash", and if they do, thats one seriously messed up program.

[hadoukenio]

I don't think it's overblown.

If you run a web server that generates its own CAPTCHA using something like ImageMagick, or call system() to gzip something, you could possibly be vulnerable.

Never underestimate vulnerabilities and the way people can use them, or even combine them, to exploit systems.

[antocv]

> or call system() to gzip something

Are you serious, who the hell does that!?

Any half-assed language has a zip implementation, use that. Any non-boring language has image-magick binding to that library.

This bug affects complete idiots.

[seanp2k2]

>This bug affects complete idiots

Consider how many people touch an enterprise system, or even a system at a smaller shop. Consider how many people touch shared hosting servers or even dedicated boxes.

Do /you/ trust all of them, along with all the authors of all the software exposed to the web (or touched by something exposed to the web) on that system?

[devicenull]

On shared hosting systems, you have to design the system with the assumption that someone is always compromised. So, additional accounts getting compromised should just be business as usual.

Seriously, if you're on shared hosting, it's almost certain that at least one person on the server is compromised/malicious

[FooBarWidget]

Why would it be messed up if it's true? The Unix philosophy is to compose complex functionality using lots of small tools. Shelling out to existing tools instead of reinventing your own makes total sense.

[spacemanmatt]

Generally, that is true for small feats of system automation, but secure applications need to be isolated from the system layer.

[FooBarWidget]

But wget is not specialized security software.

[spacemanmatt]

I have seen implementations that shell out to bash scripts throughout my career in web and back-end development. It's a serious antipattern in the wild.