On Sat, 29 Dec 2007 00:35:15 -0500 Tom Copeland <[EMAIL PROTECTED]> wrote:
> * Apologies for starting a new thread; I just subscribed. > > Has anyone been able to make this exploit happen if requests are being > proxied to Mongrel through Apache? I've been trying variations on the > double-encoding thing and can't trigger the exploit through Apache. > Hitting Mongrel directly does expose the problem. > > I'll still upgrade my servers, of course, but I don't want to send an > unnecessary "upgrade now" note to other folks... I think others said it, but I'll lay out the conditions for what is the most likely upgrade requirement: 1) If you use nginx or apache (and maybe other full web servers with a proxy module) then you can wait to upgrade, but probably not very long. This is because these servers do their own checking as well, and are handling your files. That means a request for the file will be dropped, and blocked. 2) If you use a pure TCP/IP based proxy balancer (balance, pen, swiftiply?) then you must upgrade as these do no checks on the incoming TCP packets. 3) If you use mongrel directly to serve content then you must upgrade. If you cannot upgrade, see the list earlier for the one line fix. You don't need the comments :-) Hope that helps. -- Zed A. Shaw - Hate: http://savingtheinternetwithhate.com/ - Good: http://www.zedshaw.com/ - Evil: http://yearofevil.com/ _______________________________________________ Mongrel-users mailing list Mongrel-users@rubyforge.org http://rubyforge.org/mailman/listinfo/mongrel-users
