[SEC] Latest LiteSpeed ruby-lsapi does not vulnerable to the cgi.rb 99% CPU DoS attack

Hi,

First, my thanks to Zed for including LiteSpeed in cgi.rb vulnerability
report. Appreciated!

I just got time to review ruby-lsapi code and test the vulnerability
against LiteSpeed.
I found that, in our latest ruby-lsapi release 1.11, lsapi_read()
function returns Qnil when the end of request body has been reached. So,
in theory, LiteSpeed should not be vulnerable to this attack.
Our test results confirmed what I expected, 500 Internal Server Error
was returned immediately upon receiving the bad multipart request.

However, it is unsure whether earlier release of ruby-lsapi is
vulnerable or not, please make sure to upgrade to the latest ruby-lsapi
release.

Please pay attention not to mix manual installation with gem
installation, manual installation has higher priority, if you have
installed earlier version of ruby-lsapi manually and switch to gem
installation later, please make sure to remove lsapi.so installed
manually, usually at somewhere under .../lib/ruby/site_ruby/1.8/.

Best Regards,
George Wang

Thanks for the report, George.

Earlier LSAPI hit the CGI bug but are not affected since they quickly timeout.

It’s good to know that the latest LSAPI avoids the problem entirely.

I did not test LiteSpeed + FastCGI.

jeremy