[Mongrel] Regarding the 1.1.3 security release

Luis Lavena luislavena at gmail.com
Sat Dec 29 01:12:33 EST 2007


On Dec 29, 2007 2:35 AM, Tom Copeland <tom at infoether.com> wrote:
> * Apologies for starting a new thread; I just subscribed.
>
> Has anyone been able to make this exploit happen if requests are being
> proxied to Mongrel through Apache?  I've been trying variations on the
> double-encoding thing and can't trigger the exploit through Apache.
> Hitting Mongrel directly does expose the problem.
>

Yeah Tom, using a proxy/balancer like apache and nginx will filter
this, but some folks serve mongrel directly, or using not-so-clever
balancers that didn't filter this kind of exploits.

> I'll still upgrade my servers, of course, but I don't want to send an
> unnecessary "upgrade now" note to other folks...

Most common use of mongrel is "behind a proxy or balancer", so I only
see development servers is being affected by this.

Or, maybe I'm wrong (which happens quite often).

-- 
Luis Lavena
Multimedia systems
-
A common mistake that people make when trying to design
something completely foolproof is to underestimate
the ingenuity of complete fools.
Douglas Adams


More information about the Mongrel-users mailing list