Hi Henrik,
On Fri, 26 Sep 2014, Henrik Størner wrote:
The xymon CGI interface runs via shell wrappers around the actual C cgi
code (to set the environment properly), which means this would be an
avenue for attack.
Indeed, this one is nasty. Fortunately, most Linux systems I know of
have /bin/sh linked to /bin/dash and hence are not vulnerable.
In light of this, I think it is about time we retire the shell-script
wrappers from Xymon. I have written a replacement which is now checked
into the 4.3.18 branch.
There is a preliminary release of 4.3.18 available on
https://www.xymon.com/patches/ - feel free to try it out. I will release
4.3.18 over the weekend unless I find some problems with it.
NOTE: Replacing the shell script wrappers means that the cgioptions.cfg
file is no longer processed as a shell script. The new wrapper works
fine with the default version of cgioptions.cfg, but it you have
modified it in a way that it relies on being processed by a shell, then
it will break.
I just upgraded bash to the latest from RH/Centos and I can report that it
breaks the data from machines using bbwin. They all went purple. To be sure
my hunch was correct, I downgraded bash to bash-4.1.2-15.el6_5.1.x86_64 and
the purple went away.
Is it expected that the fix you reference above will work with bbwin? I have
not modified cgioptions.cfg.
I need to wait until the terabithia rpms are updated to upgrade xymon.
Regards,
--
Tom user-dcee455aaab0@xymon.invalid Spamtrap address user-4d123f9c385b@xymon.invalid