Quote:

---

Bash has been around since the late 1980s and is the default shell for OS X, Linux and some versions of Unix. By default, Windows machines and Windows servers don't run Bash, but versions of Bash are often installed on Windows. (This will be important later.)

Bash isn't just a command interpreter — it can also be used as a parser for CGI scripts — the way many websites display dynamic content. This is important because CGI scripts are often executed on Apache, the most common kind of web server in the world.

As you may remember from Heartbleed, about 50% of web servers run Apache, which means they may have some version of Bash on them, which means they may have some version of Bash on them. And that's without even taking into account any other web servers that might also have Bash installed as part of their setup.

Some users are getting confused in thinking Bash is the command line. It's not, but it is the most common command interpreter in the world and is installed on millions of systems.

One of the core functions of Bash is that it lets users define functions as a way to pass text onto other systems and processes. Usually, this is just fine — and hey, it's convenient, that's why it exists.
What's the problem?

The problem is that there is a major vulnerability that occurs when specific characters are included as part of a variable definition. If the characters "{ :;};" are included as the function definition, any arbitrary code that is inserted AFTER that definition is processed. This isn't supposed to happen.

In other words, if I'm able to define what looks like a normal function with those special characters and then I tack on a few shell commands at the end of that definition, Bash will wind up executing those commands.

---