Sucuri’s latest announcement about the shell shock vulnerability says that millions of WordPress sites are at risk. Unlike the other cases, there is no plugin being exploited here. The culprit this time is the bash shell that is a part of every server. Bash is a command processor where users can type in commands and execute them. For example, to list the contents of a directory, change password, view a file, and many more. If the Heartbleed issue was known to be the biggest trouble-maker in recent times, shell shock is many times worse. What makes it worse is that unlike the usual vulnerabilities that can be patched by users directly, shell shock doesn’t have easy solutions for the average user. It is mostly up to the system administrators and hosting providers to patch this.
The issue is related to how bash uses environment variables to do its work. While browsing the Internet, these variables are passed from the server to your computer and executed by your bash shell. The vulnerability lets attackers pass malicious commands as variables which get executed by the shell. This way the attackers can run any command and gain access to your site. They can then proceed with using your site to send spam, host their own content, and generally wreak havoc.
If bash only accepted commands from humans, this wouldn’t have been a vulnerability. Unfortunately, bash also accepts inputs from other programs. For example, when you load a site that includes dynamic content, the server processing it may use bash commands to retrieve your request. HTTP_USER_AGENT, for example, is commonly used to tell the server which browser you are using. But malicious users can change the user agent variable to include their code. When these evil doers visit a site, the server will automatically execute this code, allowing the attacker to hack into the server.
The wide spread usage of bash makes almost every computer vulnerable. However, the servers are the most targeted for the wide spread damage that can be caused. Turns out, cPanel users are at high risk and this amounts to a huge number of WordPress sites. So if you’re using cPanel, you should patch your servers right away. For those who aren’t sure of what they’re using, go ahead and patch anyway.