[Mongrel] [Rails] [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack
Jeremy Kemper
jeremy at bitsweat.net
Wed Oct 25 16:29:33 EDT 2006
On 10/25/06, Zed A. Shaw <zedshaw at zedshaw.com> wrote:
>
> There is a DoS for Ruby's cgi.rb that is easily exploitable. The attack
> involves sending a malformed multipart MIME body in an HTTP request. The
> full explanation of the attack as well as how to fix it RIGHT NOW is given
> below.
>
> I'm putting this fix into the Mongrel pre-release process to give Matz
> time to get an official release out. If he doesn't within the next few days
> then I'll turn this into an official Mongrel release.
To underline and bold: you're unaffected if you're in production on FastCGI.
The vulnerability has been reported to security at ruby-lang.org and the
various OS distros. Matz fixed it in 1.8 CVS but hasn't backported, hence
the full disclosure and hotfix now.
Track it at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467(should
be up shortly).
jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/mongrel-users/attachments/20061025/d8ddcfb1/attachment-0001.html
More information about the Mongrel-users
mailing list