Hi,
First, my thanks to Zed for including LiteSpeed in cgi.rb vulnerability
report. Appreciated!
I just got time to review ruby-lsapi code and test the vulnerability
against LiteSpeed.
I found that, in our latest ruby-lsapi release 1.11, lsapi_read()
function returns Qnil when the end of request body has been reached. So,
in theory, LiteSpeed should not be vulnerable to this attack.
Our test results confirmed what I expected, 500 Internal Server Error
was returned immediately upon receiving the bad multipart request.
However, it is unsure whether earlier release of ruby-lsapi is
vulnerable or not, please make sure to upgrade to the latest ruby-lsapi
release.
Please pay attention not to mix manual installation with gem
installation, manual installation has higher priority, if you have
installed earlier version of ruby-lsapi manually and switch to gem
installation later, please make sure to remove lsapi.so installed
manually, usually at somewhere under …/lib/ruby/site_ruby/1.8/.
Best Regards,
George W.