The ability to run arbitary commands, for one.
The ability to run arbitary commands, for one.
That's not how it works.
CGI sets environment variables from the web request, including things like user-agent and referer [sic]
Iif (if and only if) the web page calls bash (which would happen indirectly by calling system() in several web script dialects) then bash inherits the environment variables and bang! the bug is active.
No-one does that, other than deliberately. That's what the Shellshock "bug" allows you to do.
That same ability is inherent in any scripted web page.
because the 'arbitrary' bit is a broad church.
Firstly because in order to have this happen, the website has to be configured to use direct CGI, rather than say PHP (just as much of a security hole which isn't much)
Secondly, it must have some cgi script or program there to receive the malformed request.
Thirdly, that malformed request must be passed without parameter checking to a shell.
Fourthly the shell has to be bash, expliticly, or implicitly because its linked to the default shell /bin/sh.
I have a bad bash and a publicly accessible web server, I even satisfy the first condition.
But not the last three.
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.