I am wondering whether my server could be vulnerable to ShellShock (or better: was vulnerable). The shell test reveals that I'm vulnerable:
$ export evil='() { :;}; echo vulnerable'; bash -c echo;
vulnerable
I don't need CGI for any of my websites, but just to be sure, I tried grep -i "cgi" *
on my Apache config files folder. Unfortunately I have discovered that some of my sites have CGI entries anyway, like this:
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
However, there are no files in /usr/lib/cgi-bin
$ ll /usr/lib/cgi-bin/
total 0
And following a test, I get a HTTP 403 error:
$ curl -i -X HEAD "http://example.com/cgi-bin/" -A '() { :;}; echo "Warning: Server Vulnerable"'
HTTP/1.1 403 Forbidden
Date: Thu, 25 Sep 2014 22:22:32 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Can I safely conclude that my server is not vulnerable to a CGI attack in this case? If not, would a different curl
command show the vulnerability? And would it be sufficient to remove the /cgi-bin/
definitions from Apache config files?