New “unix Bash security hole”, deadlier than “Heartbleed”

images2A big unix bash hole (“Shellshock”) uncovered on 24thSep 2014, which can be used to take control of your unix based system.

Bash is the very powerful software to control unix based systems via command line. And if this powerful weapon reaches to an unwanted person, everything can be sacrificed.

The Department of Homeland Security’s United States Computer Emergency Readiness Team, or US-CERT, issued an alert saying the vulnerability affected Unix-based operating systems including Linux and Apple Inc’s Mac OS X.

Is your system vulnerable ?

As per an excellent write-up by RedHat, to check if your system is vulnerable, type below commands in bash.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If you see an output like

this is a test

You need a patch to fix it.

It is relatively easy to use this hole.

Tod Beardsley, an engineering manager at cybersecurity firm Rapid7, warned the bug was rated a “10” for severity, meaning it has maximum impact, and rated “low” for complexity of exploitation, meaning it is relatively easy for hackers to launch attacks.

Fix it!

US-CERT advised computer users to obtain operating systems updates from software makers. It said that Linux providers including Red Hat Inc (RHT.N) had already prepared them, but it did not mention an update for OS X. Apple representatives could not be reached.

To update it a similar type of command can be run

yum update bash

After a patch, if you run above command, you will find a output similar to

env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

For MAC users:
Unlike Heartbleed, Shellshock doesn’t appear to have any easy solutions for average users right now. In most cases, it will be up to system administrators and software companies to issue patches.

Know more:


ApaChE Tips

We all know while development, sometimes we need to setup different projects in our system. For which we have to do settings (like virtual host, host setup,…) to run it in our local environment.

Here, I am sharing some tips for Apache that might be helpful for doing setup of different projects.

Setup a Virtual Domain

NameVirtualHost *
<VirtualHost *>
DocumentRoot /web/
ServerAlias CustomLog /web/ combined ErrorLog /web/

Include another conf file

Include /etc/apache/virtual-hosts/*.conf

Hide Apache Version Info

ServerSignature Off
ServerTokens Prod

Only allow Access from a specific IP

Order Deny,Allow
Deny from all
Allow from

Only allow access from your subnet

Order Deny,Allow
Deny from all
Allow from

Add a directory index

DirectoryIndex index.cfm index.cfm

Turn OFF directory browsing

Options -Indexes

Turn ON directory browsing

<Location /images>
  Options +Indexes

Enjoy Coding! 🙂