From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <esj@eggo.org>
Received: from z.eggo.org (z.eggo.org [80.235.105.138])
	by huchra.bufferbloat.net (Postfix) with ESMTP id F1BB621F2BF
	for <cerowrt-devel@lists.bufferbloat.net>;
	Wed, 24 Sep 2014 15:00:44 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by z.eggo.org (Postfix) with ESMTP id BFE7A3C3674
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 25 Sep 2014 01:00:42 +0300 (EEST)
Received: from z.eggo.org ([127.0.0.1])
	by localhost (z.eggo.org [127.0.0.1]) (amavisd-new, port 10032)
	with ESMTP id oUp3CEzpn9iv for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 25 Sep 2014 01:00:37 +0300 (EEST)
Received: from localhost (localhost [127.0.0.1])
	by z.eggo.org (Postfix) with ESMTP id 18FF03C377F
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 25 Sep 2014 01:00:37 +0300 (EEST)
X-Virus-Scanned: amavisd-new at harvee.org
Received: from z.eggo.org ([127.0.0.1])
	by localhost (z.eggo.org [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id 51cfQ9jP5Vpl for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 25 Sep 2014 01:00:37 +0300 (EEST)
Received: from [10.43.6.113] (173-14-129-9-NewEngland.hfc.comcastbusiness.net
	[173.14.129.9]) by z.eggo.org (Postfix) with ESMTPSA id 9ECAD3C36F3
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 25 Sep 2014 01:00:36 +0300 (EEST)
Message-ID: <54233F02.4060603@eggo.org>
Date: Wed, 24 Sep 2014 18:00:34 -0400
From: "Eric S. Johansson" <esj@eggo.org>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64;
	rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: cerowrt-devel@lists.bufferbloat.net
References: <CAA93jw6ssG9624d+HrZuVwdE00r5=qNSv0va3dQweUJLbqjthw@mail.gmail.com>
	<54233DB3.4020602@eggo.org>
In-Reply-To: <54233DB3.4020602@eggo.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Cerowrt-devel] bash exploit heads up
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Wed, 24 Sep 2014 22:01:14 -0000


On 9/24/2014 5:54 PM, Eric S. Johansson wrote:
>
> On 9/24/2014 5:45 PM, Dave Taht wrote:
>> shows vulnerable for bash, not sh, on openwrt and cerowrt. That said,
>> it makes me nervous. I've never really liked the redir.sh method cero
>> uses to bounce people to the right web interface... suggestions to do
>> it in javascript or something safer desired.
>>
>
> http://www.w3.org/QA/Tips/reback
>
> I'll take a look in the next couple of days if no one beats me to it.

looked a bit further. assuming you are still using lighthttpd, it looks 
like we should be able to to it from the lighthttp config
http://redmine.lighttpd.net/projects/1/wiki/docs_modredirect