Adware vs Malware is an important distinction. No one here is claiming Microsoft are saints but what Samsung is doing (if true) is at best Lenovo level malicious negligence.
Wikipedia is causing controversy? Glad to hear it's still working.
On a more serious note, "Wikipedia is wrong" and "Wikipedia is doomed" really need to be separated. These clickbait headlines are getting excessively tiring, particularly if anyone is taking them at face value. A solid attempt at collecting the whole sum of human knowledge will obviously have issues given the nature of how we operate.
However, claiming some >current and developing< topic being misrepresented spells the doom of the best attempt at a concise and well-indexed source on human history, the development of our species, and the thoughts/ideals that our civilization stands on is a bit much.
CGI has always been an accident waiting to happen, but hardly anybody uses it anymore anyway, and even more rarely in a manner that invokes bash, of all things.
I fail to see how "HTTP requests" generically are a vector, and its "Here is a sample" statement is not a link and is followed by... nothing.
This article tells me nothing useful other than "don't allow untrusted data into your environment", which we've all known for 20 years.
FastCGI accepts name/value pairs from the server and most default language bindings against it will turn them into environment variables for the benefit of code that expects to be able to reference them. This can get tricky if you do anything that spawns a process with your code later.
Almost all vendor-supplied web interfaces that don't come bundled with a web server are CGI so you can just run it from whatever web server you have. Even some very popular 'appliances' out there that have their own web server run CGI.
Unless you're using CGI, your system environment will not be contaminated. CGI is vulnerable because it relies on passing untrusted data in environment variables. No other gateway interface I'm familiar with does.
Are you certain that no method of invoking a dynamic script sets environment variables to values controlled by requests? If so, it sounds like even an innocent call to system("lame a.wav b.mp3") could lead to code execution.
Edit: also, you may be surprised to find that some "libraries" are actually wrappers around external binaries (e.g. libgpgme). If any of them used a system() or exec() call that preserves environment, and the binary or the library ever invokes bash (e.g. via system()), then trouble will ensue.
If you're using the nginx module, it gets the data from an instance of ngx_http_request_t. From there it gets passed around over sockets. Environment variables are not involved.
Using environment variables for request data would be quite insane when one of your marketing strategies is "fast" -- you'd either have to fork-per-connection just like CGI, or pre-fork processes that take input over a socket, deliberately deserialize it into the environment(!), and use getenv.
However overhyped Passenger might be, I don't know why you'd think the Phusion guys are that crazy.
Discovering that CUPS and dhclient may be vulnerable doesn't change anything. I'm talking about HTTP as an attack vector.
Yeah this is true - a lot of hosting providers run PHP as a CGI as it allows them to run the PHP process under the user account (although it is very slow, and RUID2 is a better solution).
If you're not running mod_cgi can this affect the system in any way?
They would be too slow to be useful at any kind of real load. Are you sure you're not thinking of FastCGI? That doesn't pass data through the environment, it goes over a socket.
What happened to all the applications and services for outsourcing HR departments in terms of payroll, benefits, ect.? -- thought there were a bunch more than Workday and ZenPayroll?
Getting a full list of those would be particularly useful.
Yup - http://en.wikipedia.org/wiki/Tobin_tax
You can make it very small to cut out almost all of these problems and it wouldn't be noticeable to any non-HF traders. It's not gotten very far in the US and is only partially supported in the EU (though I think there's something amiss with the EU proposal).
