[Mongrel] Arbitrary system files readable in 1.0.4 - 1.1.2

Luis Lavena luislavena at gmail.com
Fri Dec 28 23:20:33 EST 2007


On Dec 28, 2007 7:01 PM, Eric Mason <lists at ruby-forum.com> wrote:
> I just found a vulnerability in one of my web apps that was running
> Mongrel 1.1.2 where I could go to URIs like
> /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd and it
> would serve the actual /etc/passwd file.
>
> The issue seems to be in lib/mongrel/handlers.rb in the change from
> 1.0.3 to 1.0.4
>

can you download and install the 1.1.3 gem I put online from here:

http://mmediasys.com/mongrel/mongrel-1.1.3.gem

and let me know if it worked before we put it on rubyforge.

also, knowing the Dir.pwd of your public doc root will be good, or a
test case showing the problem, since I couldn't reproduce the behavior
you described under Windows.

(I know there isn't /etc/passwd on windows, tried other file) :-D

Please let me know ASAP.

-- 
Luis Lavena
Multimedia systems
-
A common mistake that people make when trying to design
something completely foolproof is to underestimate
the ingenuity of complete fools.
Douglas Adams


More information about the Mongrel-users mailing list