[Xymon] 'Shell shock' mitigation

Henrik Størner henrik at hswn.dk
Fri Sep 26 16:54:16 CEST 2014


> The xymon CGI interface runs via shell wrappers around the actual C cgi
> code (to set the environment properly), which means this would be an
> avenue for attack.
Indeed, this one is nasty. Fortunately, most Linux systems I know of
have /bin/sh linked to /bin/dash and hence are not vulnerable.

In light of this, I think it is about time we retire the shell-script
wrappers from Xymon. I have written a replacement which is now checked
into the 4.3.18 branch.

There is a preliminary release of 4.3.18 available on
https://www.xymon.com/patches/ - feel free to try it out. I will release
4.3.18 over the weekend unless I find some problems with it.

NOTE: Replacing the shell script wrappers means that the cgioptions.cfg
file is no longer processed as a shell script. The new wrapper works
fine with the default version of cgioptions.cfg, but it you have
modified it in a way that it relies on being processed by a shell, then
it will break.


Regards,
Henrik





More information about the Xymon mailing list