[Mongrel] Regarding the 1.1.3 security release

Paolo Campegiani paolo.campegiani at gmail.com
Sat Dec 29 06:05:48 EST 2007

2007/12/29, Zed A. Shaw <zedshaw at zedshaw.com>:

> 1) If you use nginx or apache (and maybe other full web servers with a
> proxy module) then you can wait to upgrade, but probably not very
> long.  This is because these servers do their own checking as well, and
> are handling your files.  That means a request for the file will be
> dropped, and blocked.

I have an Apache 2.0 protected by modsecurity (with standard
configuration), and the result of
GETting http://host.domain.it//.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd
is HTTP 501: Method Not Implemented

GET to //.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd not supported.
Apache/2.0.x (RHEL) Server at host.domain.it Port 80

that means that modsecurity stops the request before it hits Apache.
Don't know if Apache would stop it by itself, just to suggest that
this extra layer of security could be added for free and it does not
interfere with Rails application we've here.

More information about the Mongrel-users mailing list