I’d be interested to see if/how this is exploitable from some sort of popular front end app (thinking, apache with mod_php, not just cgi)
While mod_php does not immediately rely on bash in the way cgi does, it could definitely be possible to influence environment variables. Forcing a remote machine to read the variables would be a second issue, though. In any case, many uses of
system() are likely to run into bash somewhere along the line. I’m very curious how this one will play out, as I doubt the patching process will be anywhere as smooth as with Heartbleed.
Thanks for the snippits showing your local test
Guys, aren’t you tired of discussing how awesome/miserable Android/iPhone and their users are? Just curious.
It starts out being interesting to watch from the sidelines, but as time goes by it becomes a wee bit sad. Very much like all the others- Linux / Windows / OSX, vim / emacs, GNU / BSD, the list goes on.
As far as I know there are no provisions in place to upgrade your license – you’ll have to buy an additional extended license if you decide you need one at a later stage.
Then again, you do get the benefit of looking through the file and trying it out for the (significantly cheaper) price of the regular license if you get that one before spending more on an extended license.
Very much appreciated, Alex. I find myself agreeing with the vast majority of the points you make, and it appears that you have really hit home on the important issues. I hope a staff member is willing to pick this up, as this kind of feedback should not be ignored. The only way to continue the success that the Envato marketplaces have had is by not only listening, but also acting upon these outcries. This is, of course, directly related to the first issue that you pose – it is definitely time Envato became a bit more vocal towards its authors, as well as by acting accordingly.
Thanks for taking the time to put this together!