[Mongrel] Regarding the 1.1.3 security release

Zed A. Shaw zedshaw at zedshaw.com
Sat Dec 29 03:32:37 EST 2007

On Sat, 29 Dec 2007 00:35:15 -0500
Tom Copeland <tom at infoether.com> wrote:

> * Apologies for starting a new thread; I just subscribed.
> Has anyone been able to make this exploit happen if requests are being
> proxied to Mongrel through Apache?  I've been trying variations on the
> double-encoding thing and can't trigger the exploit through Apache.
> Hitting Mongrel directly does expose the problem.  
> I'll still upgrade my servers, of course, but I don't want to send an
> unnecessary "upgrade now" note to other folks...

I think others said it, but I'll lay out the conditions for what is the
most likely upgrade requirement:

1) If you use nginx or apache (and maybe other full web servers with a
proxy module) then you can wait to upgrade, but probably not very
long.  This is because these servers do their own checking as well, and
are handling your files.  That means a request for the file will be
dropped, and blocked.
2) If you use a pure TCP/IP based proxy balancer (balance, pen,
swiftiply?) then you must upgrade as these do no checks on the incoming
TCP packets.
3) If you use mongrel directly to serve content then you must upgrade.

If you cannot upgrade, see the list earlier for the one line fix.  You
don't need the comments :-)

Hope that helps.

Zed A. Shaw
- Hate: http://savingtheinternetwithhate.com/
- Good: http://www.zedshaw.com/
- Evil: http://yearofevil.com/

More information about the Mongrel-users mailing list