How vulnerable are bash users to shellshock bug?

Achim Gratz Stromeko@NexGo.DE
Mon Sep 29 09:02:00 GMT 2014

Andy <AndyMHancock <at>> writes:
> According to,
> shellshock is exploited when someone submits commands in place of parameter
> data to a server, which then tries to shove the info into an environment
> variable by a bash invocation.  

No, the attack vector is to have a targeted user run bash in an environment
with at least one environment variable having crafted content as to exploit
the bug.  That's quite general and can be used for all sorts of privilege
escalation locally, using it remotely via a service is just the icing on the


Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list