Hi,
First, my thanks to Zed for including LiteSpeed in cgi.rb vulnerability report. Appreciated!
I just got time to review ruby-lsapi code and test the vulnerability against LiteSpeed. I found that, in our latest ruby-lsapi release 1.11, lsapi_read() function returns Qnil when the end of request body has been reached. So, in theory, LiteSpeed should not be vulnerable to this attack. Our test results confirmed what I expected, 500 Internal Server Error was returned immediately upon receiving the bad multipart request.
However, it is unsure whether earlier release of ruby-lsapi is vulnerable or not, please make sure to upgrade to the latest ruby-lsapi release.
Please pay attention not to mix manual installation with gem installation, manual installation has higher priority, if you have installed earlier version of ruby-lsapi manually and switch to gem installation later, please make sure to remove lsapi.so installed manually, usually at somewhere under .../lib/ruby/site_ruby/1.8/.
Best Regards, George Wang