Thanks for explaining—it's good to confirm my theory that all shells are vulnerable, not just ones which incorporate user input.
> which isn't quite uncommon, many websites use some kind of processing of data they receive with external programs, or call sockets, or do other crazy stuff
I do think the "crazy stuff" part is important. I've never come across a popen/shell call in a web app which looked sane or secure to me.
This is not uncommon, and your web app probably do it if you send mail or interact with other services on the machine. There are quite a few examples in most frameworks, are you completely sure nothing you depend on calls popen?
> I've never come across a popen/shell call in a web app which looked sane or secure to me.
No true scotsman as applied to webapps? Someone else has already pointed out an example Wordpress - bet you don't consider it "sane or secure". (Not that I consider it the most secure thing ever, but I'm not the one trying to downplay shellshock.) You must admit that wordpress is highly popular and that there are many installations of it, and that the people running them aren't stupid.
Face it, the barrier for entry for writing webapp's is so low that anything web-facing should be considered possibly vulnerable unless proven otherwise.
Even web apps not doing 'crazy stuff' can be written by a lone web-dev who just learned PHP from a book in 21-hours. Not every web app is written by a top-tier, skilled web-dev's who's up to date on the latest best practices, with a clean design for user-input sanitization, and a team of QA folk trying to poke holes, and a dedicated security team auditing the code, deployed behind some sort of filtering proxy.
Hell, you'd think that with enough top-tier talent that bugs never happen, but even Google's been hit with a bug that exposed files from their servers; Facebook had that login security bug that they paid out for via their bug bounty program, Apple's security in the first bunch of revisions of iOS was laughable, and so on.
> You must admit that wordpress is highly popular and that there are many installations of it, and that the people running them aren't stupid.
Hahahahahaha, have you ever seen the Wordpress codebase?
> Face it, the barrier for entry for writing webapp's is so low that anything web-facing should be considered possibly vulnerable unless proven otherwise.
True. I'm sure there are thousands (millions?) of compromised sites out there. Heck, probably a few of the ones I wrote back in high school are compromised.
My only point is that I'm less scared by this because it doesn't affect highly secure and modern websites (ie. I don't expect Facebook to announce they're compromised by Shellshock) as shelling out from a web server really isn't considered modern and secure. Comparatively, Heartbleed was very scary because sites which were following all the best practices (including using SSL) were vulnerable.
There may be millions of Wordpress installations, but how many run as CGI-scripts?
My guess is very close to zero. Wordpress is really slow as it is. It's also likely to be more complicated to set up compared to mod_php or FastCGI.
No, your bugs likely won't be in the direct execution of your web apps, but in their auxilliary functions such as processing received e-mail, handling print queues etc.
> which isn't quite uncommon, many websites use some kind of processing of data they receive with external programs, or call sockets, or do other crazy stuff
I do think the "crazy stuff" part is important. I've never come across a popen/shell call in a web app which looked sane or secure to me.