Evan Weaver
2006-Dec-06 02:58 UTC
[SECURITY] Hotfix for cgi.rb vulnerability of Dec. 4, 2006
Hi, I''ve released a hotfix, just like the last one from Zed Shaw, for the new cgi.rb denial-of-service vulnerability, which does affect Rails. You can get it here: http://blog.evanweaver.com/articles/2006/12/05/cgi-rb-vulnerability-hotfix It will be useful to you if you are unable or unwilling to upgrade your core Ruby cgi.rb file. We have deployed it on Chow.com and are making it available to everyone. Evan === README == DESCRIPTION Fix an exploitable bug in CGI multipart parsing which affects Ruby <1.8.5 when multipart boundary attribute contains a non-halting regular expression string. The boundary searcher in the CGI module does not properly escape the user-supplied parameter and will execute arbitrary regular expressions. The fix adds escaping for the user data. This is fix is cumulative with previous CGI multipart vulnerability fixes; see version 1.0.0 of the gem by Zed Shaw. SCOPE Affected: standalone CGI, Mongrel, WEBrick Unaffected: FastCGI Unknown: mod_ruby USAGE First, make sure you have the Hoe gem installed. Then: sudo gem install cgi_multipart_eof_fix --source blog.evanweaver.com Then included test to verify the flaw is corrected. You must require the gem in every affected application, as follows: require ''rubygems'' require ''cgi_multipart_eof_fix'' If you only use mongrel_rails for application hosting, you may install mongrel like so: sudo gem install mongrel --source=http://mongrel.rubyforge.org/releases Then mongrel will require the fix for you, provided you have installed version 2.0.0 of this gem. This is a hack, and mongrel may change in the future. RESOURCES http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/ http://blog.evanweaver.com/articles/2006/12/05/cgi-rb-vulnerability-hotfix http://blog.evanweaver.com/articles/2006/12/05/new-cgi-rb-vulnerability LICENSE Licensed under the same license as Ruby itself. Software contains the work of others. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Jeremy Kemper
2006-Dec-06 05:12 UTC
Re: [SECURITY] Hotfix for cgi.rb vulnerability of Dec. 4, 2006
On 12/5/06, Evan Weaver <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > I''ve released a hotfix, just like the last one from Zed Shaw, for the > new cgi.rb denial-of-service vulnerability, which does affect Rails. You > can get it here: > > > http://blog.evanweaver.com/articles/2006/12/05/cgi-rb-vulnerability-hotfix > > It will be useful to you if you are unable or unwilling to upgrade your > core Ruby cgi.rb file. We have deployed it on Chow.com and are making it > available to everyone.Thanks for updating the gem, Evan! A historical note: Jamis Buck is the author; he found, fixed, and tested the original vulnerability. Best, jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
You''re welcome. Thanks for the clarification; I see now in Zed''s original post that he credited you and Jamis. Evan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---