With all the scare regarding CVE-2014-6271, I've found little concrete information regarding the vulnerability's surface area. In particular, does an individual require terminal access to execute this exploit? I am aware that CGI services that call out to the shell can indirectly provide access to this vulnerability (as per The bash vulnerability CVE-2014-6271 . Can it affect my CGI perl scripts? How to understand this?), but what other vectors of attack exist?
No, looks like apache's mod_cgi and mod_cgid are gateways for bash environment code execution with a crafted HTTP request header.