[ from /. thread ]
This is the test to see if you are vulnerable:
env x='() {:;}; echo vulnerable' bash -c "echo this is a test"
And what should we see if we are vulnerable? My running of that just prints out syntax errors and then runs the echo command. The printing out of syntax errors does seem strange, as I would have expected the guff in the single quotes to be verbatim assigned to x without any globbing or variable substitution. But I am no expert in bash having learnt most of my Unix foo on Solaris and Tru64 Unix running csh.
Bad: vulnerable this is a test Good: this is a test Source: http://linux.slashdot.org/comments.pl?sid=5750159&cid=47985837 Cheers, Peter -- Peter Reutemann, Dept. of Computer Science, University of Waikato, NZ http://www.cms.waikato.ac.nz/~fracpete/ Ph. +64 (7) 858-5174