[Mongrel] Regarding the 1.1.3 security release

Ezra Zygmuntowicz ezmobius at gmail.com
Sat Dec 29 01:26:26 EST 2007


On Dec 28, 2007, at 9:35 PM, Tom Copeland wrote:

> * Apologies for starting a new thread; I just subscribed.
>
> Has anyone been able to make this exploit happen if requests are being
> proxied to Mongrel through Apache?  I've been trying variations on the
> double-encoding thing and can't trigger the exploit through Apache.
> Hitting Mongrel directly does expose the problem.
>
> I'll still upgrade my servers, of course, but I don't want to send an
> unnecessary "upgrade now" note to other folks...
>
> Thanks,
>
> Tom
>

	As far as I can tell this is only exploitable on direct mongrel hits.  
I cannot make it happen on mongrels behind nginx or apache.

Cheers-
- Ezra Zygmuntowicz
-- Founder & Software Architect
-- ezra at engineyard.com
-- EngineYard.com



More information about the Mongrel-users mailing list