discourage piping the output of curl directly into bash #50
Comments
|
I WROTE ONE THAT IS EVEN BETTER http://master.ms/security-check.php HAHAHAHAHA :D :D :D |
|
HAHAHAAHAHAHAHAHAHAHAA :D :D |
|
+1 As much as I would to download some invisible script from shellshocksRus.co, etc., it isn't a good idea. At worst, it's a hacker trying to ruin my life. At best, it's a very smelly practice by a security website that should know better. |
|
I understand that it's bad practice, though one liners are becoming the de-facto-standard for installing and running scripts on systems. See https://www.meteor.com/install for example, People want a fast and effective way to test their system, the one liner helps them do that. I went with the one liner because I wanted something people could copy and paste and be sure they are always getting the latest test for their system. If we have someone download the script first, then execute it, they might go back to the same script (even though it's been updated) and run an outdated test. The one liner ensures every run is the latest script available to test their systems. |
and others
Would you please remove the suggestion to pipe the output of curl directly into bash? This is a very bad security practice. To prove this, please see my example here:
http://www.brockmann-consult.de/peter2/securitylesson/
It uses a simple RewriteCond and RewriteRule to give you a different script depending on your user agent. Even if your provider doesn't give you access to do this, a simple man-in-the-middle attack or someone that runs the provider can accomplish the same thing. And even if somehow your site was magically immune to this, you should not be encouraging anyone to use this method, but instead to be cautious.
Thanks
The text was updated successfully, but these errors were encountered: