[Mongrel] [SEC] Mongrel Temporary Fix For cgi.rb 99% CPU DoS Attack

Zed A. Shaw zedshaw at zedshaw.com
Thu Oct 26 04:14:00 EDT 2006


On Wed, 25 Oct 2006 19:51:58 -0400
"Ian C. Blenke" <ian at blenke.com> wrote:

> Zed A. Shaw wrote:
> 
> >There is a DoS for Ruby's cgi.rb that is easily exploitable.  The attack involves sending a malformed multipart MIME body in an HTTP request.  The full explanation of the attack as well as how to fix it RIGHT NOW is given below.

> Using 0.3.13.5 + the revision 356 patch (not really sure how necessary 
> that was), along with replacing cgi.rb, has solved most of our mongrel woes.
>

If you ever get desperate for a previous pre-release of Mongrel, you can just go here:

http://mongrel.rubyforge.org/releases/gems/

And find almost everything for all time.
 
BTW, how was 0.3.14 pre-release for you?  I've got reports it somehow breaks X-Sendfile support.

-- 
Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://www.zedshaw.com/
http://safari.oreilly.com/0321483502 -- The Mongrel Book
http://mongrel.rubyforge.org/
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.


More information about the Mongrel-users mailing list