[Mongrel] Regarding the 1.1.3 security release
luislavena at gmail.com
Sat Dec 29 01:12:33 EST 2007
On Dec 29, 2007 2:35 AM, Tom Copeland <tom at infoether.com> wrote:
> * Apologies for starting a new thread; I just subscribed.
> Has anyone been able to make this exploit happen if requests are being
> proxied to Mongrel through Apache? I've been trying variations on the
> double-encoding thing and can't trigger the exploit through Apache.
> Hitting Mongrel directly does expose the problem.
Yeah Tom, using a proxy/balancer like apache and nginx will filter
this, but some folks serve mongrel directly, or using not-so-clever
balancers that didn't filter this kind of exploits.
> I'll still upgrade my servers, of course, but I don't want to send an
> unnecessary "upgrade now" note to other folks...
Most common use of mongrel is "behind a proxy or balancer", so I only
see development servers is being affected by this.
Or, maybe I'm wrong (which happens quite often).
A common mistake that people make when trying to design
something completely foolproof is to underestimate
the ingenuity of complete fools.
More information about the Mongrel-users