[Mongrel] [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack
Zed A. Shaw
zedshaw at zedshaw.com
Thu Oct 26 04:14:00 EDT 2006
On Wed, 25 Oct 2006 19:51:58 -0400
"Ian C. Blenke" <ian at blenke.com> wrote:
> Zed A. Shaw wrote:
>
> >There is a DoS for Ruby's cgi.rb that is easily exploitable. The attack involves sending a malformed multipart MIME body in an HTTP request. The full explanation of the attack as well as how to fix it RIGHT NOW is given below.
> Using 0.3.13.5 + the revision 356 patch (not really sure how necessary
> that was), along with replacing cgi.rb, has solved most of our mongrel woes.
>
If you ever get desperate for a previous pre-release of Mongrel, you can just go here:
http://mongrel.rubyforge.org/releases/gems/
And find almost everything for all time.
BTW, how was 0.3.14 pre-release for you? I've got reports it somehow breaks X-Sendfile support.
--
Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://www.zedshaw.com/
http://safari.oreilly.com/0321483502 -- The Mongrel Book
http://mongrel.rubyforge.org/
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.
More information about the Mongrel-users
mailing list