Shellshock, the bash bug, bashdoor

Shellshock is the latest security bug to grab the media's attention. It's a security flaw in the popular bash shell, which is an open source Unix shell. A shell is a command-line interpreter, similar to the Windows command prompt - commands are typed into the shell and executed by it.

The bug causes bash to unintentionally execute commands stored in special environment variables. This is bad because an attacker can insert any command and have it executed, regardless of their permissions. Essentially, these allows the attacker full control of the machine. Shellshock has been in bash for 22 years!

This is primarily a problem for Unix-based machines, including Linux and Apple OSX machines. Windows machines typically do not have bash installed, although a Cygwin port of bash is available on Windows.

CompleteFTP does not use Cygwin, so it is not vulnerable to Shellshock. However if you have bash installed on any of your Windows servers it would be wise to disable it or update to a patched version. And of course ensure that your Unix-based servers are patched.

Posted by John Faulds in