rails affected by new cgi.rb vulnerability

Another denial-of-service vulnerability has been discovered in cgi.rb’s multipart mime parsing. You can read Zed’s message about it here. The diff is here.


I have an exploit, and will disclose it tomorrow. Basically, the multipart boundary attribute is inserted directly into the regular expression that parses the message contents. This means you can use a regular expression sequence that will cause an infinite loop, via a POST request.

Regular expressions in practice do not always halt, because of look-behinds and other features like that.

scope of the problem

As far as I can tell, this does not affect mongrel itself unless you specifically use cgi.rb’s multipart mime parsing in your mongrel handler. Camping does not use cgi.rb at all.

Rails, however, uses it. Rails on mongrel can be bogged down by a series of malicious requests, and Rails on webrick can be completely halted by a single one. Tests suggest that fastcgi is not affected.

You can read more about the multipart boundary parameter in RFC 2388.