undefined | Better HN

0 pointsacdha11y ago0 comments

FastCGI does work differently – it spawns a process which stays open and communicates with it over stdin / stdout – but that doesn't mean that his PHP script doesn't unexpectedly invoke system() somewhere.

0 comments

nisa11y ago

This script here is run when the process is spawned and spawns the PHP process that listens to stdin/stdout. Similar scripts exist in most install of mod_fcgid. E.g. PLESK, Virtualmin, other ISP-Panels... It boils down to look at what environment variables are there when bash runs this script or not? Once bash starts and grabs the environment variables the exploit starts.

So considering there are other variables in there that can be manipulated it would be possible to own a large chunk of servers on the Internet. However I'm not sure if there is caveat and I had hoped that someone can help me.

Edit: Looks safe. These variables are not even there. It's just an outdated script.

j / k navigate · click thread line to collapse

0 pointsacdha11y ago0 comments

0 comments

nisa11y ago

Edit: Looks safe. These variables are not even there. It's just an outdated script.

j / k navigate · click thread line to collapse