Hi Hannah,

hi peter. I've tested various builds of busybox ash myself and haven't found the vuln applies. could you supply some more details?

It is a QNAP NAS TS-239 Pro2.

were you testing with the () {} string in an HTTP header?

No, the web server does not respond anymore.

...

Peter Ross wrote:

...

I have an older QNAP NAS appliance (used for backup) that is vulnerable as well.

[~] # x='() { :;}; echo VULNERABLE' bash -c : -sh: bash: command not found [~] # x='() { :;}; echo VULNERABLE' sh -c : VULNERABLE [~] # sh --version GNU bash, version 3.2.0(17)-release (i686-pc-linux-gnu) Copyright (C) 2005 Free Software Foundation, Inc. [~] # uname -a Linux backup 2.6.30.6 #1 SMP Sat Apr 10 06:48:32 CST 2010 i686 unknown

...

...

AFAIK Busybox uses ash. [as Wikipedia says]

Obviously not his one. It has a lot of symlinks to busybox on /bin but its shell is bash. Maybe I do a re-install of "something". I am not sure at the moment. It only copies directories and files to it on the weekly base with external disks used to back them up permanently (and partially off-site) If I put the disks somewhere else I do not need the box anymore. It was just a handy box already in place before I started here. Regards Peter