Right you are. I overlooked that. However calling it correctly still gives the same sh-3.2$ env x='() { :;}; echo vulnerable' /bin/sh -c "echo this is a test" vulnerable this is a test However, as Douglas stated earlier, its limited to bash and sh in OSX the others seem to be ok. sh-3.2$ env x='() { :;}; echo vulnerable' /bin/csh -c "echo this is a test" this is a test On 26 Sep 2014, at 2:25 pm, Peter Ross <Petros.Listig@fdrive.com.au<mailto:Petros.Listig@fdrive.com.au>> wrote: From: "Joh Lindley" <joh.lindley@dcwest.net.au<mailto:joh.lindley@dcwest.net.au>> Is Apple's sh a bash? I thought they are using FreeBSD's userland (FreeBSD's sh is not affected [at least the tests are negative and there is no SA]) It would appear so. sh-3.2$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test You are calling the bash [not /bin/sh] here. It shows that you have a bash installed. Regards Peter _______________________________________________ luv-main mailing list luv-main@luv.asn.au<mailto:luv-main@luv.asn.au> http://lists.luv.asn.au/listinfo/luv-main