On Dec 28, 2007 7:01 PM, Eric Mason <[EMAIL PROTECTED]> wrote: > I just found a vulnerability in one of my web apps that was running > Mongrel 1.1.2 where I could go to URIs like > /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd and it > would serve the actual /etc/passwd file. > > The issue seems to be in lib/mongrel/handlers.rb in the change from > 1.0.3 to 1.0.4 >
can you download and install the 1.1.3 gem I put online from here: http://mmediasys.com/mongrel/mongrel-1.1.3.gem and let me know if it worked before we put it on rubyforge. also, knowing the Dir.pwd of your public doc root will be good, or a test case showing the problem, since I couldn't reproduce the behavior you described under Windows. (I know there isn't /etc/passwd on windows, tried other file) :-D Please let me know ASAP. -- Luis Lavena Multimedia systems - A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. Douglas Adams _______________________________________________ Mongrel-users mailing list Mongrel-users@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-users
