[Mongrel] Regarding the 1.1.3 security release

Evan Weaver evan at cloudbur.st
Sat Dec 29 02:16:53 EST 2007


I think 'pen' is vulnerable. I don't think mod_proxy_balancer is. You
will need to check your own site.

The new gems will be out in a few hours for all platforms.

Evan

On Dec 29, 2007 1:12 AM, Luis Lavena <luislavena at gmail.com> wrote:
> On Dec 29, 2007 2:35 AM, Tom Copeland <tom at infoether.com> wrote:
> > * Apologies for starting a new thread; I just subscribed.
> >
> > Has anyone been able to make this exploit happen if requests are being
> > proxied to Mongrel through Apache?  I've been trying variations on the
> > double-encoding thing and can't trigger the exploit through Apache.
> > Hitting Mongrel directly does expose the problem.
> >
>
> Yeah Tom, using a proxy/balancer like apache and nginx will filter
> this, but some folks serve mongrel directly, or using not-so-clever
> balancers that didn't filter this kind of exploits.
>
> > I'll still upgrade my servers, of course, but I don't want to send an
> > unnecessary "upgrade now" note to other folks...
>
> Most common use of mongrel is "behind a proxy or balancer", so I only
> see development servers is being affected by this.
>
> Or, maybe I'm wrong (which happens quite often).
>
> --
> Luis Lavena
> Multimedia systems
> -
> A common mistake that people make when trying to design
> something completely foolproof is to underestimate
> the ingenuity of complete fools.
> Douglas Adams
>
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users
>



-- 
Evan Weaver
Cloudburst, LLC


More information about the Mongrel-users mailing list