Hi Henrik,
On Fri, 26 Sep 2014, Henrik Størner wrote:
The xymon CGI interface runs via shell wrappers around the actual C cgi code (to set the environment properly), which means this would be an avenue for attack. Indeed, this one is nasty. Fortunately, most Linux systems I know of have /bin/sh linked to /bin/dash and hence are not vulnerable.
In light of this, I think it is about time we retire the shell-script wrappers from Xymon. I have written a replacement which is now checked into the 4.3.18 branch.
There is a preliminary release of 4.3.18 available on https://www.xymon.com/patches/ - feel free to try it out. I will release 4.3.18 over the weekend unless I find some problems with it.
NOTE: Replacing the shell script wrappers means that the cgioptions.cfg file is no longer processed as a shell script. The new wrapper works fine with the default version of cgioptions.cfg, but it you have modified it in a way that it relies on being processed by a shell, then it will break.
I just upgraded bash to the latest from RH/Centos and I can report that it breaks the data from machines using bbwin. They all went purple. To be sure my hunch was correct, I downgraded bash to bash-4.1.2-15.el6_5.1.x86_64 and the purple went away.
Is it expected that the fix you reference above will work with bbwin? I have not modified cgioptions.cfg.
I need to wait until the terabithia rpms are updated to upgrade xymon.
Regards,
-- Tom me at tdiehl.org Spamtrap address me123 at tdiehl.org