On Dec 29, 2007 2:35 AM, Tom C. [email protected] wrote:
- Apologies for starting a new thread; I just subscribed.
Has anyone been able to make this exploit happen if requests are being
proxied to Mongrel through Apache? I’ve been trying variations on the
double-encoding thing and can’t trigger the exploit through Apache.
Hitting Mongrel directly does expose the problem.
Yeah Tom, using a proxy/balancer like apache and nginx will filter
this, but some folks serve mongrel directly, or using not-so-clever
balancers that didn’t filter this kind of exploits.
I’ll still upgrade my servers, of course, but I don’t want to send an
unnecessary “upgrade now” note to other folks…
Most common use of mongrel is “behind a proxy or balancer”, so I only
see development servers is being affected by this.
Or, maybe I’m wrong (which happens quite often).
A common mistake that people make when trying to design
something completely foolproof is to underestimate
the ingenuity of complete fools.