I think 'pen' is vulnerable. I don't think mod_proxy_balancer is. You will need to check your own site.
The new gems will be out in a few hours for all platforms. Evan On Dec 29, 2007 1:12 AM, Luis Lavena <[EMAIL PROTECTED]> wrote: > On Dec 29, 2007 2:35 AM, Tom Copeland <[EMAIL PROTECTED]> wrote: > > * Apologies for starting a new thread; I just subscribed. > > > > Has anyone been able to make this exploit happen if requests are being > > proxied to Mongrel through Apache? I've been trying variations on the > > double-encoding thing and can't trigger the exploit through Apache. > > Hitting Mongrel directly does expose the problem. > > > > Yeah Tom, using a proxy/balancer like apache and nginx will filter > this, but some folks serve mongrel directly, or using not-so-clever > balancers that didn't filter this kind of exploits. > > > I'll still upgrade my servers, of course, but I don't want to send an > > unnecessary "upgrade now" note to other folks... > > Most common use of mongrel is "behind a proxy or balancer", so I only > see development servers is being affected by this. > > Or, maybe I'm wrong (which happens quite often). > > -- > Luis Lavena > Multimedia systems > - > A common mistake that people make when trying to design > something completely foolproof is to underestimate > the ingenuity of complete fools. > Douglas Adams > > _______________________________________________ > Mongrel-users mailing list > Mongrel-users@rubyforge.org > http://rubyforge.org/mailman/listinfo/mongrel-users > -- Evan Weaver Cloudburst, LLC _______________________________________________ Mongrel-users mailing list Mongrel-users@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-users
