snax

mongrel denial of service vulnerability

There is a denial of service vulnerability for Ruby applications that either use cgi.rb, or run on Mongrel or Litespeed. This means that Rails is affected. The fix is described below.

problem

Zed Shaw makes a full report here, explaining that:

…there has been an exploitable bug in the Ruby CGI library named cgi.rb, which allows anyone on the internet to send a single HTTP request to any Ruby program (not just Mongrel) using cgi.rb multipart parsing with a malformed MIME body that causes the Ruby process to go into a 99% CPU infinite loop, killing it.

fix

The quickest fix is to update your mongrel version. You have to use --source, though, because 0.3.14 isn’t in the main repository yet:

sudo gem install mongrel --source=http://mongrel.rubyforge.org/releases

Be warned. This gem breaks relative paths in X-Sendfile headers with Apache 2.2 (and possibly others). Use File.expand_path() to convert to absolute before you set the header.

more information

See the mailing list message for alternative fixes if you don’t use mongrel or if upgrading the mongrel gem is not an option for you.

Thanks to cdcarter for the tip.