Michael Lin and Larry Seltzer wrote:Bash can be called directly by the CGI (i.e. A Bash script), or it could be called via a subprocess or system command. If Bash is started at any point within the context of this malicious CGI request, then the vulnerability will be triggered.
I think this means that it doesn't matter whether Bash is your default shell or not. As long as it's installed on the vulnerable system and an attacker can formulate the right command to injectdo something to start Bash, you still have a risk of getting pwned.