Pages: [1]
  Print  
Author Topic: Major Security Bug "ShellShock"  (Read 3983 times)
Offline (Female) IsmAvatar
Posted on: September 25, 2014, 11:33:12 AM

LateralGM Developer
LGM Developer
Location: Pennsylvania/USA
Joined: Apr 2008
Posts: 886

View Profile Email
If you haven't heard the news, another security vulnerability probably worse than Heartbleed has been discovered in Bash.
With it, an attacker can craft a very simple http response and have your server run arbitrary code.

As soon as we heard the news, we immediately tested it and updated bash to the latest patched version, just to be sure.

We do not believe our server was vulnerable to these types of attacks, as our apache does not seem to interact with Bash in that way. Our bash was indeed vulnerable, but again, nothing seemed to use it, so no harm there.

Other sites may still be vulnerable. An attack could publish database information, files, and other requests from users. This means that an attacker could gain access to passwords, credit card information, and public keys, even if the server isn't storing them - just from the fact that they are sent over the net to the server at some point.

Standard security precautions are recommended. Change your passwords regularly. Be careful where you enter your credit card information, and frequently monitor your account transactions and statements.
Logged
Offline (Male) Goombert
Reply #1 Posted on: September 25, 2014, 12:19:05 PM

Contributor
Location: Cappuccino, CA
Joined: Jan 2013
Posts: 2983

View Profile
IsmAvatar I have to admire your attention to security, I like knowing that on this site I feel secure in my privacy and personal effects. Great work!  (Y)
Logged
Offline (Unknown gender) Darkstar2
Reply #2 Posted on: September 25, 2014, 12:52:32 PM
Member
Joined: Jan 2014
Posts: 1212

View Profile Email
Yes thanks, I had posted a topic about this yesterday here:
http://enigma-dev.org/forums/index.php?topic=2244.0;topicseen

:D
Logged
Offline (Unknown gender) The 11th plague of Egypt
Reply #3 Posted on: September 26, 2014, 07:01:44 AM
Member
Joined: Dec 2009
Posts: 284

View Profile
I heard the first patch didn't really fix anything.
How's the situation right now?
Logged
Offline (Female) IsmAvatar
Reply #4 Posted on: September 26, 2014, 08:47:51 AM

LateralGM Developer
LGM Developer
Location: Pennsylvania/USA
Joined: Apr 2008
Posts: 886

View Profile Email
I haven't heard anything about that, but Josh and I did some pretty thorough testing of the vulnerability to verify if we were vulnerable before and after an update, and we were able to verify that we were not vulnerable afterwards by any of our battery of tests - while bash was exhibiting symptoms prior to the upgrade. Perhaps we got both patches, or they patched the patch. Whatever the case, we pass the best battery of tests we could find.
Logged
Pages: [1]
  Print