<= Archives =>
6 years, 25 years, and your software stack
2014/10/27 12:48:41 CET

An answer to someone wondering on misc@ about some strange output:

On Sat, Aug 16, 2014 at 04:03, Clint Pachl wrote:

I checked out my saved install configurations at http://129.128.5.191/cgi-bin/ftplist.cgi and noticed that at the end of the file there are fields named "NSAID," "CSISID," and "GOOGLE_ID." They all sound scary. Each time I refresh the page, only one of the three IDs appear, but they seem to rotate. WTF?

Checking to see who's paying attention.

1 person noticed. Took about 6 years.

In September 2014, we learnt that a shell with fancy features, used for binding Internet-facing services to local executables, was host to 25-year-old security critical bugs. Ironically, the vulnerable feature was likely never needed in order to pass environment variables, but was nevertheless always in the execution path because bundled with the shell.

Bugs hardly disappear by themselves. Old code is no indication that it is bug-free. Disabling features that are not needed in order to achieve a given objective matters.

Tags security auditing