Has anyone been able to make this exploit happen if requests are being
proxied to Mongrel through Apache? I’ve been trying variations on the
double-encoding thing and can’t trigger the exploit through Apache.
Hitting Mongrel directly does expose the problem.
I’ll still upgrade my servers, of course, but I don’t want to send an
unnecessary “upgrade now” note to other folks…
Thanks,
Tom
On Dec 29, 2007 2:35 AM, Tom C. [email protected] wrote:
- Apologies for starting a new thread; I just subscribed.
Has anyone been able to make this exploit happen if requests are being
proxied to Mongrel through Apache? I’ve been trying variations on the
double-encoding thing and can’t trigger the exploit through Apache.
Hitting Mongrel directly does expose the problem.
Yeah Tom, using a proxy/balancer like apache and nginx will filter
this, but some folks serve mongrel directly, or using not-so-clever
balancers that didn’t filter this kind of exploits.
I’ll still upgrade my servers, of course, but I don’t want to send an
unnecessary “upgrade now” note to other folks…
Most common use of mongrel is “behind a proxy or balancer”, so I only
see development servers is being affected by this.
Or, maybe I’m wrong (which happens quite often).
A common mistake that people make when trying to design
something completely foolproof is to underestimate
the ingenuity of complete fools.
Douglas Adams
On Dec 28, 2007, at 9:35 PM, Tom C. wrote:
Thanks,
Tom
As far as I can tell this is only exploitable on direct mongrel hits.
I cannot make it happen on mongrels behind nginx or apache.
Cheers-
I think ‘pen’ is vulnerable. I don’t think mod_proxy_balancer is. You
will need to check your own site.
The new gems will be out in a few hours for all platforms.
Evan
On Sat, 29 Dec 2007 00:35:15 -0500
Tom C. [email protected] wrote:
- Apologies for starting a new thread; I just subscribed.
Has anyone been able to make this exploit happen if requests are being
proxied to Mongrel through Apache? I’ve been trying variations on the
double-encoding thing and can’t trigger the exploit through Apache.
Hitting Mongrel directly does expose the problem.I’ll still upgrade my servers, of course, but I don’t want to send an
unnecessary “upgrade now” note to other folks…
I think others said it, but I’ll lay out the conditions for what is the
most likely upgrade requirement:
If you cannot upgrade, see the list earlier for the one line fix. You
don’t need the comments 
Hope that helps.
–
Zed A. Shaw
2007/12/29, Zed A. Shaw [email protected]:
- If you use nginx or apache (and maybe other full web servers with a
proxy module) then you can wait to upgrade, but probably not very
long. This is because these servers do their own checking as well, and
are handling your files. That means a request for the file will be
dropped, and blocked.
I have an Apache 2.0 protected by modsecurity (with standard
configuration), and the result of
GETting
http://host.domain.it//.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd
is HTTP 501: Method Not Implemented
GET to //.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd not supported.
Apache/2.0.x (RHEL) Server at host.domain.it Port 80
that means that modsecurity stops the request before it hits Apache.
Don’t know if Apache would stop it by itself, just to suggest that
this extra layer of security could be added for free and it does not
interfere with Rails application we’ve here.
On Sat, 2007-12-29 at 03:32 -0500, Zed A. Shaw wrote:
TCP packets.
3) If you use mongrel directly to serve content then you must upgrade.If you cannot upgrade, see the list earlier for the one line fix. You
don’t need the comments
Cool, thanks much for the summary and also for the quick fix!
Yours,
tom
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs