Hi,
I’ve released a hotfix, just like the last one from Zed S., for the
new cgi.rb denial-of-service vulnerability, which does affect Rails. You
can get it here:
http://blog.evanweaver.com/articles/2006/12/05/cgi-rb-vulnerability-hotfix
It will be useful to you if you are unable or unwilling to upgrade your
core Ruby cgi.rb file. We have deployed it on Chow.com and are making it
available to everyone.
Evan
=== README ===
DESCRIPTION
Fix an exploitable bug in CGI multipart parsing which affects Ruby <=
1.8.5 when multipart boundary attribute contains a non-halting regular
expression string. The boundary searcher in the CGI module does not
properly escape the user-supplied parameter and will execute arbitrary
regular expressions. The fix adds escaping for the user data.
This is fix is cumulative with previous CGI multipart vulnerability
fixes; see version 1.0.0 of the gem by Zed S…
SCOPE
Affected: standalone CGI, Mongrel, WEBrick
Unaffected: FastCGI
Unknown: mod_ruby
USAGE
First, make sure you have the Hoe gem installed. Then:
sudo gem install cgi_multipart_eof_fix --source blog.evanweaver.com
Then included test to verify the flaw is corrected. You must require the
gem in every affected application, as follows:
require ‘rubygems’
require ‘cgi_multipart_eof_fix’
If you only use mongrel_rails for application hosting, you may install
mongrel like so:
sudo gem install mongrel
–source=http://mongrel.rubyforge.org/releases
Then mongrel will require the fix for you, provided you have installed
version 2.0.0 of this gem. This is a hack, and mongrel may change in the
future.
RESOURCES
http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/
LICENSE
Licensed under the same license as Ruby itself. Software contains the
work of others.