Right you are. I overlooked that. 

However calling it correctly still gives the same

sh-3.2$ env x='() { :;}; echo vulnerable' /bin/sh -c "echo this is a test"
vulnerable
this is a test

However, as Douglas stated earlier, its limited to bash and sh in OSX the others seem to be ok.

sh-3.2$ env x='() { :;}; echo vulnerable' /bin/csh -c "echo this is a test"
this is a test



On 26 Sep 2014, at 2:25 pm, Peter Ross <Petros.Listig@fdrive.com.au> wrote:

From: "Joh Lindley" <joh.lindley@dcwest.net.au>
Is Apple's sh a bash? I thought they are using FreeBSD's userland
(FreeBSD's sh is not affected [at least the tests are negative and
there
is no SA])
It would appear so.
sh-3.2$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

You are calling the bash [not /bin/sh] here.

It shows that you have a bash installed.

Regards
Peter


_______________________________________________
luv-main mailing list
luv-main@luv.asn.au
http://lists.luv.asn.au/listinfo/luv-main