Do you have a question? Post it now! No Registration Necessary. Now with pictures!
October 14, 2014, 4:00 pm
rate this thread
I'm running Windows 7 64-bit.
I have 3 websites on the same Linux or Unix server (not sure which).
I'm wondering if my Windows computer is vulnerable via Shellshock when using Putty 0.63...
...or if my webhost is vulnerable.
Looks like I can test like this: ?
Would I use Putty for that?
If so, am I at risk while using Putty?
Should I ask my webhost for permission before testing?
Re: Shellshock PuTTY
(1) Your Windows computer probably isn't running bash. The vulnerability
is in bash.
(2) PuTTY cannot set environment variables on the client system in
response to anything from the network; so even if your Windows system
*is* running bash somewhere (say as part of Cygwin), PuTTY is not a
vector by which tainted environment variables can propagate to it.
That's another matter, of course.
For some of these tests you'd need shell access; if you've got it, PuTTY
is one way of using it.
See above for risk to your client system.
It's unlikely that PuTTY would be a vector for bad environment variables
to get to the server, either. While PuTTY can request servers to set
environment variables if explicitly configured to, and other data PuTTY
sends can be a Shellshock vector (e.g. terminal type, command), an
attacker would basically have to already be in control of your client
system to set these, and if that's the case there are much easier things
they can do.
That's between you and your webhost.
That said, if you have shell access, then I'd be surprised if they'd
object to the simple tests that check bash's response to exported
functions and so on; these don't of themselves cross a privilege
You should probably be wary of downloading and running shell scripts
from the Internet to test this.
- » protocol question - issue with exit-status inside unfinished data stream?
- — Newest thread in » Secure Shell Forum