Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Aug 2014 22:44:50 +1200
From: Matthew Daley <>
Cc:, Eduardo Silva <>
Subject: CVE request / advisory: Monkey web server <= v1.5.2


I'd like to request a CVE ID for this issue. It was found in software
from the Monkey Project (, which develop the
open-source Monkey Web Server.

This is the first such request and the issue is (now) public; this
message serves as an advisory as well.

Affected software: Monkey Web Server
Description: When the File Descriptor Table (FDT) mechanism is enabled
(the default setting), any HTTP requests that result in a custom error
message being returned cause a file descriptor (to the custom error
message content file) to be leaked. An attacker can therefore
repeatedly send such requests so as to leak a large number of
descriptors. Eventually, the server will reach the OS-enforced
per-process limit on the amount of open file descriptors (as given by
`ulimit -n`). From this point on, and until the server is restarted,
any request that requires the opening of another file in order to be
handled will fail; even valid requests from other parties for normal
files will fail with an HTTP 403 error. This is a simple
denial-of-service attack.
Workaround: Do not use custom error messages, or disable the File
Descriptor Table by using the "FDT off" directive in the server
configuration file (see
Affected versions: <= v1.5.2
Fixed version: v1.5.3
Release notes:
Reported by: Matthew Daley

Please let me know if you need any further information.


- Matthew Daley

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ