[Mongrel] [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack

Zed A. Shaw zedshaw at zedshaw.com
Thu Oct 26 04:14:00 EDT 2006

On Wed, 25 Oct 2006 19:51:58 -0400
"Ian C. Blenke" <ian at blenke.com> wrote:

> Zed A. Shaw wrote:
> >There is a DoS for Ruby's cgi.rb that is easily exploitable.  The attack involves sending a malformed multipart MIME body in an HTTP request.  The full explanation of the attack as well as how to fix it RIGHT NOW is given below.

> Using + the revision 356 patch (not really sure how necessary 
> that was), along with replacing cgi.rb, has solved most of our mongrel woes.

If you ever get desperate for a previous pre-release of Mongrel, you can just go here:


And find almost everything for all time.
BTW, how was 0.3.14 pre-release for you?  I've got reports it somehow breaks X-Sendfile support.

Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://safari.oreilly.com/0321483502 -- The Mongrel Book
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.

More information about the Mongrel-users mailing list