I don't get the root cause of shellshock bash bug such as CVE-2014-6271.
As far as I understand, shellshock happens if there is a malicious code inside the application packet header.
For example, if HTTP header includes http-header[Cookie] = () { :; }; ping 192.168.0.1 then it pings to 192.168.0.1.
However, HTTP header only needs to be set of string variables. Why does Apache ever run bash script?
Is Apache HTTP header parser composed of bash shell script?
Thank you! :)
C's system() function, used to execute an arbitrary external command, passes its argument to /bin/sh for parsing. (This is specified by POSIX.)
/bin/sh, on Linux systems, is commonly a symbolic link to /bin/bash.
If Apache invokes any external program via system(), and an attacker has been able to insert malicious code into any environment variable, it will be passed on to /bin/bash.