環境変数ã«ä»•è¾¼ã¾ã‚ŒãŸã‚³ãƒ¼ãƒ‰ã‚’実行ã—ã¦ã—ã¾ã†BASHã®è„†å¼±æ€§ãŒ CGIスクリプトã«å½±éŸ¿ã‚’与ãˆã‚‹ã‹è©¦ã—ã¦ã¿ãŸã‚‰çµæžœã¯æ‚²æƒ¨ãªæ„Ÿã˜ã« Tweet 2014å¹´9月25æ—¥ 嶋田大貴 ã“ã®è¨˜äº‹ã¯2014å¹´ã®ã‚‚ã®ã§ã™ æœã‹ã‚‰ Bash specially-crafted environment variables code injection attack ãªã‚‹ã‚‚ã®ã§é¨’ãŽã«ãªã£ã¦ã„ãŸã®ã§ã€ã•ã£ãã手元㮠Apacheã§è©¦ã—ã¦ã¿ã¾ã—ãŸã€‚ /hoge.cgiã¨ã„ã†URIã§å®Ÿè¡Œã•ã‚Œã‚‹ã‚ˆã†ã«ã€ä¸€è¡Œã®ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚’出力ã™ã‚‹ã ã‘ã® CGIスクリプトをè¨ç½®ã—ã¾ã™ã€‚ã„ã£ã‘ã‚“ã€ãªã‚“ã®å…¥åŠ›ã‚‚クライアントå´ã‹ã‚‰å—ã‘付ã‘ã¦ã„ãªã„ãŸã‚å±é™ºã®ã‚りよã†ã‚‚ãªã見ãˆã¾ã™ã€‚ #!/bin/sh echo "Content-type: text/plain" echo echo "Hi! I'm an ordinary CGI script w

{{#tags}}- {{label}}
{{/tags}}