On Dec 29, 2007 2:35 AM, Tom Copeland <[EMAIL PROTECTED]> wrote: > * Apologies for starting a new thread; I just subscribed. > > Has anyone been able to make this exploit happen if requests are being > proxied to Mongrel through Apache? I've been trying variations on the > double-encoding thing and can't trigger the exploit through Apache. > Hitting Mongrel directly does expose the problem. >
Yeah Tom, using a proxy/balancer like apache and nginx will filter this, but some folks serve mongrel directly, or using not-so-clever balancers that didn't filter this kind of exploits. > I'll still upgrade my servers, of course, but I don't want to send an > unnecessary "upgrade now" note to other folks... Most common use of mongrel is "behind a proxy or balancer", so I only see development servers is being affected by this. Or, maybe I'm wrong (which happens quite often). -- Luis Lavena Multimedia systems - A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. Douglas Adams _______________________________________________ Mongrel-users mailing list Mongrel-users@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-users
