[Mongrel] [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack
Zed A. Shaw
zedshaw at zedshaw.com
Thu Oct 26 04:14:00 EDT 2006
On Wed, 25 Oct 2006 19:51:58 -0400
"Ian C. Blenke" <ian at blenke.com> wrote:
> Zed A. Shaw wrote:
> >There is a DoS for Ruby's cgi.rb that is easily exploitable. The attack involves sending a malformed multipart MIME body in an HTTP request. The full explanation of the attack as well as how to fix it RIGHT NOW is given below.
> Using 0.3.13.5 + the revision 356 patch (not really sure how necessary
> that was), along with replacing cgi.rb, has solved most of our mongrel woes.
If you ever get desperate for a previous pre-release of Mongrel, you can just go here:
And find almost everything for all time.
BTW, how was 0.3.14 pre-release for you? I've got reports it somehow breaks X-Sendfile support.
Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://safari.oreilly.com/0321483502 -- The Mongrel Book
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.
More information about the Mongrel-users