Zed A. Shaw
2006-Dec-04 23:26 UTC
[Mongrel] [SECURITY] DOS In cgi.rb Announced, Upgrade Your Ruby
It''s time again for your monthly cgi.rb DOS vulnerability. This latest vulnerability is different from the one that cgi_multipart_eof_fix.gem fixed. This one is related to the boundary taken from the web client being used incorrectly. You can read about the vulnerability: http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library The applicable PATCH is here: http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/lib/cgi.rb?cvsroot=src&r1=1.68.2.18&r2=1.68.2.19 For just this vulnerability and if you want both this one and the previous then it''s: http://www.ruby-lang.org/cgi-bin/cvsweb.cgi/ruby/lib/cgi.rb?cvsroot=src&r1=1.68.2.17&r2=1.68.2.19 The full source is here: http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz And the original posting from Urabe Shyouhei: http://groups-beta.google.com/group/comp.lang.ruby/browse_frm/thread/bdc7a5f5f48827b2/d39e95b3bb035162#d39e95b3bb035162 I will NOT be releasing a similar fix gem for Mongrel, and instead will encourage people to either upgrade or apply the patch themselves. I''ll sort out if I can do a Mongrel release now that doesn''t have the original cgi_multipart_eof_fix gem included as well. FULL DESCRIPTION The vulnerability is that when the web browser sends the HTTP request it decides what the boundary should be. The web server has to protect against the client choosing malicious boundaries since it can''t be trusted. In cgi.rb the boundary variable originally was used directly in the later regex without being quoted. This means a client can pick an actual regex that eats the CPU and inject it into the final regex used to find matching boundaries. COURSE OF ACTION You have three possible things you can do right now: 1) Apply the above patch to cgi.rb and restart all your mongrel servers. 2) Upgrade to the 1.8.5-p2 version of ruby. Some systems have already started pushing this out. 3) If you can, restrict multipart mime requests to only the URLs that should accept them, and possibly even restrict requests that don''t have only alpha-numeric characters in them and dashes. This is risky still, but it might get you over the hump. GETTING HELP If you are totally stuck and still need help I''ll be hanging out in the Lingr room for the rest of the evening: http://www.lingr.com/room/3yXhqKbfPy8 Feel free to bug me with questions. -- Zed A. Shaw, MUDCRAP-CE Master Black Belt Sifu http://www.zedshaw.com/ http://www.awprofessional.com/title/0321483502 -- The Mongrel Book http://mongrel.rubyforge.org/ http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.
On 12/4/06, Zed A. Shaw <zedshaw at zedshaw.com> wrote:> It''s time again for your monthly cgi.rb DOS vulnerability. This latest vulnerability is different from the one that cgi_multipart_eof_fix.gem fixed. This one is related to the boundary taken from the web client being used incorrectly. > > You can read about the vulnerability:[snip] Thank you very much for this announcement. I took the route of upgrading Ruby. So far so good. If I run into anything crazy, I''ll be sure to report it. -- James