Regarding the 1.1.3 security release

  • Apologies for starting a new thread; I just subscribed.

Has anyone been able to make this exploit happen if requests are being
proxied to Mongrel through Apache? I’ve been trying variations on the
double-encoding thing and can’t trigger the exploit through Apache.
Hitting Mongrel directly does expose the problem.

I’ll still upgrade my servers, of course, but I don’t want to send an
unnecessary “upgrade now” note to other folks…

Thanks,

Tom

On Dec 29, 2007 2:35 AM, Tom C. [email protected] wrote:

  • Apologies for starting a new thread; I just subscribed.

Has anyone been able to make this exploit happen if requests are being
proxied to Mongrel through Apache? I’ve been trying variations on the
double-encoding thing and can’t trigger the exploit through Apache.
Hitting Mongrel directly does expose the problem.

Yeah Tom, using a proxy/balancer like apache and nginx will filter
this, but some folks serve mongrel directly, or using not-so-clever
balancers that didn’t filter this kind of exploits.

I’ll still upgrade my servers, of course, but I don’t want to send an
unnecessary “upgrade now” note to other folks…

Most common use of mongrel is “behind a proxy or balancer”, so I only
see development servers is being affected by this.

Or, maybe I’m wrong (which happens quite often).


Luis L.
Multimedia systems

A common mistake that people make when trying to design
something completely foolproof is to underestimate
the ingenuity of complete fools.
Douglas Adams

On Dec 28, 2007, at 9:35 PM, Tom C. wrote:

Thanks,

Tom

As far as I can tell this is only exploitable on direct mongrel hits.
I cannot make it happen on mongrels behind nginx or apache.

Cheers-

I think ‘pen’ is vulnerable. I don’t think mod_proxy_balancer is. You
will need to check your own site.

The new gems will be out in a few hours for all platforms.

Evan

On Sat, 29 Dec 2007 00:35:15 -0500
Tom C. [email protected] wrote:

  • Apologies for starting a new thread; I just subscribed.

Has anyone been able to make this exploit happen if requests are being
proxied to Mongrel through Apache? I’ve been trying variations on the
double-encoding thing and can’t trigger the exploit through Apache.
Hitting Mongrel directly does expose the problem.

I’ll still upgrade my servers, of course, but I don’t want to send an
unnecessary “upgrade now” note to other folks…

I think others said it, but I’ll lay out the conditions for what is the
most likely upgrade requirement:

  1. If you use nginx or apache (and maybe other full web servers with a
    proxy module) then you can wait to upgrade, but probably not very
    long. This is because these servers do their own checking as well, and
    are handling your files. That means a request for the file will be
    dropped, and blocked.
  2. If you use a pure TCP/IP based proxy balancer (balance, pen,
    swiftiply?) then you must upgrade as these do no checks on the incoming
    TCP packets.
  3. If you use mongrel directly to serve content then you must upgrade.

If you cannot upgrade, see the list earlier for the one line fix. You
don’t need the comments :slight_smile:

Hope that helps.


Zed A. Shaw

2007/12/29, Zed A. Shaw [email protected]:

  1. If you use nginx or apache (and maybe other full web servers with a
    proxy module) then you can wait to upgrade, but probably not very
    long. This is because these servers do their own checking as well, and
    are handling your files. That means a request for the file will be
    dropped, and blocked.

I have an Apache 2.0 protected by modsecurity (with standard
configuration), and the result of
GETting
http://host.domain.it//.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd
is HTTP 501: Method Not Implemented

GET to //.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd not supported.
Apache/2.0.x (RHEL) Server at host.domain.it Port 80

that means that modsecurity stops the request before it hits Apache.
Don’t know if Apache would stop it by itself, just to suggest that
this extra layer of security could be added for free and it does not
interfere with Rails application we’ve here.

On Sat, 2007-12-29 at 03:32 -0500, Zed A. Shaw wrote:

TCP packets.
3) If you use mongrel directly to serve content then you must upgrade.

If you cannot upgrade, see the list earlier for the one line fix. You
don’t need the comments :slight_smile:

Cool, thanks much for the summary and also for the quick fix!

Yours,

tom

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs