It's time again for your monthly cgi.rb DOS vulnerability. This latest
vulnerability is different from the one that cgi_multipart_eof_fix.gem fixed.
This one is related to the boundary taken from the web client being used
incorrectly.
You can read about the vulnerability:
http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library
The applicable PATCH is here:
http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/lib/cgi.rb?cvsroot=src&r1=1.68.2.18&r2=1.68.2.19
For just this vulnerability and if you want both this one and the previous then
it's:
http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/lib/cgi.rb?cvsroot=src&r1=1.68.2.17&r2=1.68.2.19
The full source is here:
http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz
And the original posting from Urabe Shyouhei:
http://groups-beta.google.com/group/comp.lang.ruby/browse_frm/thread/bdc7a5f5f48827b2/d39e95b3bb035162#d39e95b3bb035162
I will NOT be releasing a similar fix gem for Mongrel, and instead will
encourage people to either upgrade or apply the patch themselves. I'll sort
out if I can do a Mongrel release now that doesn't have the original
cgi_multipart_eof_fix gem included as well.
FULL DESCRIPTION
The vulnerability is that when the web browser sends the HTTP request it
decides what the boundary should be. The web server has to protect against the
client choosing malicious boundaries since it can't be trusted.
In cgi.rb the boundary variable originally was used directly in the later regex
without being quoted. This means a client can pick an actual regex that eats
the CPU and inject it into the final regex used to find matching boundaries.
COURSE OF ACTION
You have three possible things you can do right now:
1) Apply the above patch to cgi.rb and restart all your mongrel servers.
2) Upgrade to the 1.8.5-p2 version of ruby. Some systems have already started
pushing this out.
3) If you can, restrict multipart mime requests to only the URLs that should
accept them, and possibly even restrict requests that don't have only
alpha-numeric characters in them and dashes. This is risky still, but it might
get you over the hump.
GETTING HELP
If you are totally stuck and still need help I'll be hanging out in the Lingr
room for the rest of the evening:
http://www.lingr.com/room/3yXhqKbfPy8
Feel free to bug me with questions.
--
Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu
http://www.zedshaw.com/
http://www.awprofessional.com/title/0321483502 -- The Mongrel Book
http://mongrel.rubyforge.org/
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.
_______________________________________________
Mongrel-users mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/mongrel-users
