[Mongrel] Regarding the 1.1.3 security release
evan at cloudbur.st
Sat Dec 29 02:16:53 EST 2007
I think 'pen' is vulnerable. I don't think mod_proxy_balancer is. You
will need to check your own site.
The new gems will be out in a few hours for all platforms.
On Dec 29, 2007 1:12 AM, Luis Lavena <luislavena at gmail.com> wrote:
> On Dec 29, 2007 2:35 AM, Tom Copeland <tom at infoether.com> wrote:
> > * Apologies for starting a new thread; I just subscribed.
> > Has anyone been able to make this exploit happen if requests are being
> > proxied to Mongrel through Apache? I've been trying variations on the
> > double-encoding thing and can't trigger the exploit through Apache.
> > Hitting Mongrel directly does expose the problem.
> Yeah Tom, using a proxy/balancer like apache and nginx will filter
> this, but some folks serve mongrel directly, or using not-so-clever
> balancers that didn't filter this kind of exploits.
> > I'll still upgrade my servers, of course, but I don't want to send an
> > unnecessary "upgrade now" note to other folks...
> Most common use of mongrel is "behind a proxy or balancer", so I only
> see development servers is being affected by this.
> Or, maybe I'm wrong (which happens quite often).
> Luis Lavena
> Multimedia systems
> A common mistake that people make when trying to design
> something completely foolproof is to underestimate
> the ingenuity of complete fools.
> Douglas Adams
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
More information about the Mongrel-users