* Apologies for starting a new thread; I just subscribed. Has anyone been able to make this exploit happen if requests are being proxied to Mongrel through Apache? I''ve been trying variations on the double-encoding thing and can''t trigger the exploit through Apache. Hitting Mongrel directly does expose the problem. I''ll still upgrade my servers, of course, but I don''t want to send an unnecessary "upgrade now" note to other folks... Thanks, Tom
On Dec 29, 2007 2:35 AM, Tom Copeland <tom at infoether.com> wrote:> * Apologies for starting a new thread; I just subscribed. > > Has anyone been able to make this exploit happen if requests are being > proxied to Mongrel through Apache? I''ve been trying variations on the > double-encoding thing and can''t trigger the exploit through Apache. > Hitting Mongrel directly does expose the problem. >Yeah Tom, using a proxy/balancer like apache and nginx will filter this, but some folks serve mongrel directly, or using not-so-clever balancers that didn''t filter this kind of exploits.> I''ll still upgrade my servers, of course, but I don''t want to send an > unnecessary "upgrade now" note to other folks...Most common use of mongrel is "behind a proxy or balancer", so I only see development servers is being affected by this. Or, maybe I''m wrong (which happens quite often). -- Luis Lavena Multimedia systems - A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. Douglas Adams
On Dec 28, 2007, at 9:35 PM, Tom Copeland wrote:> * Apologies for starting a new thread; I just subscribed. > > Has anyone been able to make this exploit happen if requests are being > proxied to Mongrel through Apache? I''ve been trying variations on the > double-encoding thing and can''t trigger the exploit through Apache. > Hitting Mongrel directly does expose the problem. > > I''ll still upgrade my servers, of course, but I don''t want to send an > unnecessary "upgrade now" note to other folks... > > Thanks, > > Tom >As far as I can tell this is only exploitable on direct mongrel hits. I cannot make it happen on mongrels behind nginx or apache. Cheers- - Ezra Zygmuntowicz -- Founder & Software Architect -- ezra at engineyard.com -- EngineYard.com
I think ''pen'' is vulnerable. I don''t think mod_proxy_balancer is. You will need to check your own site. The new gems will be out in a few hours for all platforms. Evan On Dec 29, 2007 1:12 AM, Luis Lavena <luislavena at gmail.com> wrote:> On Dec 29, 2007 2:35 AM, Tom Copeland <tom at infoether.com> wrote: > > * Apologies for starting a new thread; I just subscribed. > > > > Has anyone been able to make this exploit happen if requests are being > > proxied to Mongrel through Apache? I''ve been trying variations on the > > double-encoding thing and can''t trigger the exploit through Apache. > > Hitting Mongrel directly does expose the problem. > > > > Yeah Tom, using a proxy/balancer like apache and nginx will filter > this, but some folks serve mongrel directly, or using not-so-clever > balancers that didn''t filter this kind of exploits. > > > I''ll still upgrade my servers, of course, but I don''t want to send an > > unnecessary "upgrade now" note to other folks... > > Most common use of mongrel is "behind a proxy or balancer", so I only > see development servers is being affected by this. > > Or, maybe I''m wrong (which happens quite often). > > -- > Luis Lavena > Multimedia systems > - > A common mistake that people make when trying to design > something completely foolproof is to underestimate > the ingenuity of complete fools. > Douglas Adams > > _______________________________________________ > Mongrel-users mailing list > Mongrel-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/mongrel-users >-- Evan Weaver Cloudburst, LLC
On Sat, 29 Dec 2007 00:35:15 -0500 Tom Copeland <tom at infoether.com> wrote:> * Apologies for starting a new thread; I just subscribed. > > Has anyone been able to make this exploit happen if requests are being > proxied to Mongrel through Apache? I''ve been trying variations on the > double-encoding thing and can''t trigger the exploit through Apache. > Hitting Mongrel directly does expose the problem. > > I''ll still upgrade my servers, of course, but I don''t want to send an > unnecessary "upgrade now" note to other folks...I think others said it, but I''ll lay out the conditions for what is the most likely upgrade requirement: 1) If you use nginx or apache (and maybe other full web servers with a proxy module) then you can wait to upgrade, but probably not very long. This is because these servers do their own checking as well, and are handling your files. That means a request for the file will be dropped, and blocked. 2) If you use a pure TCP/IP based proxy balancer (balance, pen, swiftiply?) then you must upgrade as these do no checks on the incoming TCP packets. 3) If you use mongrel directly to serve content then you must upgrade. If you cannot upgrade, see the list earlier for the one line fix. You don''t need the comments :-) Hope that helps. -- Zed A. Shaw - Hate: http://savingtheinternetwithhate.com/ - Good: http://www.zedshaw.com/ - Evil: http://yearofevil.com/
2007/12/29, Zed A. Shaw <zedshaw at zedshaw.com>:> 1) If you use nginx or apache (and maybe other full web servers with a > proxy module) then you can wait to upgrade, but probably not very > long. This is because these servers do their own checking as well, and > are handling your files. That means a request for the file will be > dropped, and blocked.I have an Apache 2.0 protected by modsecurity (with standard configuration), and the result of GETting http://host.domain.it//.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd is HTTP 501: Method Not Implemented GET to //.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd not supported. Apache/2.0.x (RHEL) Server at host.domain.it Port 80 that means that modsecurity stops the request before it hits Apache. Don''t know if Apache would stop it by itself, just to suggest that this extra layer of security could be added for free and it does not interfere with Rails application we''ve here.
On Sat, 2007-12-29 at 03:32 -0500, Zed A. Shaw wrote:> I think others said it, but I''ll lay out the conditions for what is the > most likely upgrade requirement: > > 1) If you use nginx or apache (and maybe other full web servers with a > proxy module) then you can wait to upgrade, but probably not very > long. This is because these servers do their own checking as well, and > are handling your files. That means a request for the file will be > dropped, and blocked. > 2) If you use a pure TCP/IP based proxy balancer (balance, pen, > swiftiply?) then you must upgrade as these do no checks on the incoming > TCP packets. > 3) If you use mongrel directly to serve content then you must upgrade. > > If you cannot upgrade, see the list earlier for the one line fix. You > don''t need the comments :-)Cool, thanks much for the summary and also for the quick fix! Yours, tom