Another DoS Vulnerability in CGI Library

Posted by Shugo Maeda on 4 Dec 2006

Another vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS).

This vulnerability is open to the public as JVN#84798830.

Please note that the previous patch (<URL:https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-cgi-dos-1.patch>) does not fix this problem.

Impact

A specific HTTP request for any web application using cgi.rb causes CPU consumption on the machine on which the web application is running. Many such requests result in a denial of service.

Vulnerable versions

1.8 series

1.8.5 and all prior versions

Development version (1.9 series)

All versions before 2006-12-04

Solution

1.8 series

Please upgrade to 1.8.5-p2.

<URL:https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz> (4519151 bytes, md5sum: a3517a224716f79b14196adda3e88057)

Please note that a package that corrects this weakness may already be available through your package management software.

Development version (1.9 series)

Please update your Ruby to a version after 2006-12-04.