shellshock - detect in Apache?

[Fulko Hew]

On Fri, Sep 26, 2014 at 10:40 AM, Gary Stainburn <
gary.stainburn at ringways.co.uk> wrote:

> On Friday 26 September 2014 15:32:15 Fulko Hew wrote:
> > On Fri, Sep 26, 2014 at 8:28 AM, Matthew Miller <
> mattdm at fedoraproject.org>
> >
> > wrote:
> > > On Fri, Sep 26, 2014 at 01:19:29PM +0100, Gary Stainburn wrote:
> > > > Is there any way to detect an attack within Apache and block it?
> > > > I'm thinking of a rule or something to check the user-agent or equiv
> > >
> > > before
> > >
> > > > calling the CGI or PHP etc.
> > > > I'm looking to protect some old servers where BASH updates won't be
> > > > forthcoming
> > >
> > > You should be able to do this with mod_rewrite -- at least if you can
> be
> > > sure that none of the CGI variables should ever legitimately start with
> > > "(".
> > > Use the RewriteCond and test for every one of those variables that come
> > > from
> > > the user.
> > > http://httpd.apache.org/docs/current/mod/mod_rewrite.html
> > >
> > > There may be a better way, but that's what comes to mind.
> >
> > Is there a simple test (similar to the 'basic bash' test';  posted
> > everywhere)
> > that can be executed to determine whether an apache/cgi 'environment'
> > can be attacked?  or do each of my CGI (perl) apps need checking...
> >
> > It seems to me to be an apache/cgi environment issue, and not
> > a CGI app issue.
>
> I've found the following page:
>
>
> http://www.zdnet.com/shellshock-how-to-protect-your-unix-linux-and-mac-servers-7000034072/
>
> which includes some rewrite rules. As I've never done rewrite rules before,
> where would I put them?
>

Yes, I saw that from a few emails ago.
That's a potential technique for mitigation, but I'm wondering
about a technique for detecting apache/cgi based vulnerability.

Ie.  Do I have to worry about _my_ web server?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20140926/024be358/attachment.html>