[Mongrel] [Rails] [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack

Jeremy Kemper jeremy at bitsweat.net
Wed Oct 25 16:29:33 EDT 2006

On 10/25/06, Zed A. Shaw <zedshaw at zedshaw.com> wrote:
> There is a DoS for Ruby's cgi.rb that is easily exploitable.  The attack
> involves sending a malformed multipart MIME body in an HTTP request.  The
> full explanation of the attack as well as how to fix it RIGHT NOW is given
> below.
> I'm putting this fix into the Mongrel pre-release process to give Matz
> time to get an official release out.  If he doesn't within the next few days
> then I'll turn this into an official Mongrel release.

To underline and bold: you're unaffected if you're in production on FastCGI.

The vulnerability has been reported to security at ruby-lang.org and the
various OS distros. Matz fixed it in 1.8 CVS but hasn't backported, hence
the full disclosure and hotfix now.

Track it at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467(should
be up shortly).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/mongrel-users/attachments/20061025/d8ddcfb1/attachment-0001.html 

More information about the Mongrel-users mailing list