Date: Mon, 18 Aug 2014 22:44:50 +1200 From: Matthew Daley <mattd@...fuzz.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org, Eduardo Silva <eduardo@...key.io> Subject: CVE request / advisory: Monkey web server <= v1.5.2 Hi, I'd like to request a CVE ID for this issue. It was found in software from the Monkey Project (monkey-project.com), which develop the open-source Monkey Web Server. This is the first such request and the issue is (now) public; this message serves as an advisory as well. Affected software: Monkey Web Server Description: When the File Descriptor Table (FDT) mechanism is enabled (the default setting), any HTTP requests that result in a custom error message being returned cause a file descriptor (to the custom error message content file) to be leaked. An attacker can therefore repeatedly send such requests so as to leak a large number of descriptors. Eventually, the server will reach the OS-enforced per-process limit on the amount of open file descriptors (as given by `ulimit -n`). From this point on, and until the server is restarted, any request that requires the opening of another file in order to be handled will fail; even valid requests from other parties for normal files will fail with an HTTP 403 error. This is a simple denial-of-service attack. Workaround: Do not use custom error messages, or disable the File Descriptor Table by using the "FDT off" directive in the server configuration file (see http://monkey-project.com/documentation/1.5/configuration/server.html#fdt). Affected versions: <= v1.5.2 Fixed version: v1.5.3 Fix: https://github.com/monkey/monkey/commit/b2d0e6f92310bb14a15aa2f8e96e1fb5379776dd Release notes: http://monkey-project.com/Announcements/v1.5.3 Reported by: Matthew Daley Please let me know if you need any further information. Thanks, - Matthew Daley
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ