[Mongrel] bad URI(is not URI?): c:\boot.ini

Kris Leech krisleech at interkonect.com
Sat Mar 10 15:05:03 EST 2007


Zed A. Shaw wrote:
> On Thu, 8 Mar 2007 13:33:11 -0600
> "Berger, Daniel" <Daniel.Berger at Qwest.com> wrote:
>
>   
>>> I'll probably make this optional then for those people who 
>>> don't care about IE on a localhost setup.
>>>       
>> Is this something that needs to be fixed in the URI module, i.e.
>> handling Windows-style file URL's? Or should I just nevermind?
>>     
>
> No, it's more of an opening for an attack based on malformed URLs than
> anything.
>
> Normally, let's say you do a request for:
>
> GET /<something horrible>/../c:\system.ini HTTP/1.1
>
> Then Mongrel will take the <something horrible> and reject it since it
> most likely is a parsing error.  This is why mongrel so easily defends
> against a lot of attacks.  Not because it's actively trying, but just
> by being strict.
>
> The problem comes from an ambiguity in the RFC that says requests with:
>
> GET http://localhost:3000/<something horrible>/../c:\system.ini HTTP/1.1
>
> Are not valid, but still need to be processed by servers since clients
> still try to use it.  The above line is intended for proxy servers
> only, not end point web servers.  Mongrel isn't a proxy server, so all
> this host information is useless.  The RFC is also ambiguous on which
> host specification should win when this and a Host: header is given.
>
> What happens is IE for various weird reasons insists on sending this as
> its GET request.  Since people running rails on IE typically don't put
> it behind a proxying server these requests aren't scrubbed so they blow
> up.  Nothing they can do, and the only fix is to either reject these
> outright or try parsing the requested URI to pull off the path and
> request portions dropping the host and protocol junk.
>
> Well, that's where the trouble lurks.  If the quality of cgi.rb is any
> indicator, Ruby's URI parsing could have all sorts of
> vulnerabilities.  It's not written using a parser so it's not easy to
> validate correctness (you can look at mongrel's parser and check it
> right away against the RFC).  Now that there's some attack available
> for these kinds of URLs that only IE and Windows servers process
> validly I begin to worry how long it'll be before there's an attack.
>
> Then again I'm paranoid, but my paranoia has paid off for many people
> and been right many times before.
>
> So, long story short, there's nothing you can do unless you can fix
> IE.  Only thing I'm going to do is add an option to reject these kinds
> of URLs with the full host as attacks, and then see what happens. 
>   
Now I see. At current this can be used as a DOS attack since it actually 
brings Mongrel down.





More information about the Mongrel-users mailing list