论坛首页 编程语言技术论坛

新的安全漏洞,mongrel DOS

浏览 3456 次
精华帖 (0) :: 良好帖 (0) :: 新手帖 (0) :: 隐藏帖 (0)
作者 正文
   发表时间:2006-10-27  
http://blog.evanweaver.com/articles/2006/10/25/mongrel-denial-of-service-vulnerability

http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html

DOS拒绝服务的攻击

针对Mongrel的服务器和Litespeed服务器

后者国内可能用的不多
http://litespeedtech.com/

problem

Zed Shaw makes a full report here, explaining that:

...there has been an exploitable bug in the Ruby CGI library named cgi.rb, which allows anyone on the internet to send a single HTTP request to any Ruby program (not just Mongrel) using cgi.rb multipart parsing with a malformed MIME body that causes the Ruby process to go into a 99% CPU infinite loop, killing it.

解决的方法就是更新Mongrel

gem install mongrel --source=http://mongrel.rubyforge.org/releases

请时刻留意安全问题







论坛首页 编程语言技术版

跳转论坛:
Global site tag (gtag.js) - Google Analytics