George Wang
2006-Nov-10 17:23 UTC
[SEC] Latest LiteSpeed ruby-lsapi does not vulnerable to the cgi.rb 99% CPU DoS attack
Hi, First, my thanks to Zed for including LiteSpeed in cgi.rb vulnerability report. Appreciated! I just got time to review ruby-lsapi code and test the vulnerability against LiteSpeed. I found that, in our latest ruby-lsapi release 1.11, lsapi_read() function returns Qnil when the end of request body has been reached. So, in theory, LiteSpeed should not be vulnerable to this attack. Our test results confirmed what I expected, 500 Internal Server Error was returned immediately upon receiving the bad multipart request. However, it is unsure whether earlier release of ruby-lsapi is vulnerable or not, please make sure to upgrade to the latest ruby-lsapi release. Please pay attention not to mix manual installation with gem installation, manual installation has higher priority, if you have installed earlier version of ruby-lsapi manually and switch to gem installation later, please make sure to remove lsapi.so installed manually, usually at somewhere under .../lib/ruby/site_ruby/1.8/. Best Regards, George Wang --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Jeremy Kemper
2006-Nov-10 18:56 UTC
Re: [SEC] Latest LiteSpeed ruby-lsapi does not vulnerable to the cgi.rb 99% CPU DoS attack
On 11/10/06, George Wang <gwang-vugsFtsTCG9r6h6lumtxgQC/G2K4zDHf@public.gmane.org> wrote:> > First, my thanks to Zed for including LiteSpeed in cgi.rb vulnerability > report. Appreciated!I just got time to review ruby-lsapi code and test the vulnerability> against LiteSpeed. > I found that, in our latest ruby-lsapi release 1.11, lsapi_read() > function returns Qnil when the end of request body has been reached. So, > in theory, LiteSpeed should not be vulnerable to this attack. > Our test results confirmed what I expected, 500 Internal Server Error > was returned immediately upon receiving the bad multipart request. > > However, it is unsure whether earlier release of ruby-lsapi is > vulnerable or not, please make sure to upgrade to the latest ruby-lsapi > release.Thanks for the report, George. Earlier LSAPI hit the CGI bug but *are not affected* since they quickly timeout. It''s good to know that the latest LSAPI avoids the problem entirely. I did not test LiteSpeed + FastCGI. jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---