[Mongrel] [SECURITY] DOS In cgi.rb Announced, Upgrade Your Ruby

Zed A. Shaw zedshaw at zedshaw.com
Mon Dec 4 18:26:21 EST 2006


It's time again for your monthly cgi.rb DOS vulnerability.  This latest vulnerability is different from the one that cgi_multipart_eof_fix.gem fixed.  This one is related to the boundary taken from the web client being used incorrectly.

You can read about the vulnerability:

	http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library

The applicable PATCH is here:

	http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/lib/cgi.rb?cvsroot=src&r1=1.68.2.18&r2=1.68.2.19

For just this vulnerability and if you want both this one and the previous then it's:

	http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/lib/cgi.rb?cvsroot=src&r1=1.68.2.17&r2=1.68.2.19


The full source is here:

	http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz

And the original posting from Urabe Shyouhei:

	http://groups-beta.google.com/group/comp.lang.ruby/browse_frm/thread/bdc7a5f5f48827b2/d39e95b3bb035162#d39e95b3bb035162

I will NOT be releasing a similar fix gem for Mongrel, and instead will encourage people to either upgrade or apply the patch themselves.  I'll sort out if I can do a Mongrel release now that doesn't have the original cgi_multipart_eof_fix gem included as well.

FULL DESCRIPTION

The vulnerability is that when the web browser sends the HTTP request it decides what the boundary should be.  The web server has to protect against the client choosing malicious boundaries since it can't be trusted.

In cgi.rb the boundary variable originally was used directly in the later regex without being quoted.  This means a client can pick an actual regex that eats the CPU and inject it into the final regex used to find matching boundaries.

COURSE OF ACTION

You have three possible things you can do right now:

1) Apply the above patch to cgi.rb and restart all your mongrel servers.
2) Upgrade to the 1.8.5-p2 version of ruby.  Some systems have already started pushing this out.
3) If you can, restrict multipart mime requests to only the URLs that should accept them, and possibly even restrict requests that don't have only alpha-numeric characters in them and dashes.  This is risky still, but it might get you over the hump.

GETTING HELP

If you are totally stuck and still need help I'll be hanging out in the Lingr room for the rest of the evening:

http://www.lingr.com/room/3yXhqKbfPy8

Feel free to bug me with questions.

-- 
Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://www.zedshaw.com/
http://www.awprofessional.com/title/0321483502 -- The Mongrel Book
http://mongrel.rubyforge.org/
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.


More information about the Mongrel-users mailing list