In Cambodia, you might not so interesting on this kind of news but the impact on your website security is very important, please find the short explanation on the issue with the last report by TheVerge reported today, there is a bug in the bash shell of Unix system which is called “Bash bug”, or “Shellshock” that allows for an attacker’s code to be executed as soon as the shell is invoked, leaving the door open for a wide variety of attacks.

The bug is worst than Heartbleed’s recent bug in OpenSSL because there are more than 60% of all websites are hosted under Unix system according to the statistic by w3techs.com; So that to solve the recent issue, it could take a bit long time to finish.

The impacts are not only the Linux related but also OSX of Apple according to the Q&A at StackOverflow.

 

How to know if my server impacted

According to the RedHat’s post or above StackOverflow’s Q&A, you can test your server by following code, and if you can see the output “vulnerable, this is a test“, you server is impacted by this bug:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
 vulnerable
 this is a test

But if you could see the error as “warning: x:…” as following, yours is not impacted.

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

 

Solutions

As the impact are at server level, you need to contact your web hosting for urgently upgrade the system. The report said that currently only Red Hat and Fedora have already released patches for the bug. And I have just checked the Ubuntu’s blog, the server already has the update too, please update yours.

Each Unix kernel’s server need to check and apply last patch to correct the issue on Bash shell.

 

Followup

• The Bug: CVE-2014-6271, or here
• The News
  • TheVerge
  • Hacker News
  • Google