here is my simple bash command line to test if your site is vulnerable to remote bash vulnerability
https://gist.github.com/mfadzilr/70892f43597e7863a8dc
during my test, as long the cgi has "#!/bin/bash" it is vulnerable to an attack, and you can change the http method and header to anything (i think), it would still work.
