Date: Mon, 18 Aug 2014 22:44:50 +1200 From: Matthew Daley <mattd@...fuzz.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org, Eduardo Silva <eduardo@...key.io> Subject: CVE request / advisory: Monkey web server <= v1.5.2 Hi, I'd like to request a CVE ID for this issue. It was found in software from the Monkey Project (monkey-project.com), which develop the open-source Monkey Web Server. This is the first such request and the issue is (now) public; this message serves as an advisory as well. Affected software: Monkey Web Server Description: When the File Descriptor Table (FDT) mechanism is enabled (the default setting), any HTTP requests that result in a custom error message being returned cause a file descriptor (to the custom error message content file) to be leaked. An attacker can therefore repeatedly send such requests so as to leak a large number of descriptors. Eventually, the server will reach the OS-enforced per-process limit on the amount of open file descriptors (as given by `ulimit -n`). From this point on, and until the server is restarted, any request that requires the opening of another file in order to be handled will fail; even valid requests from other parties for normal files will fail with an HTTP 403 error. This is a simple denial-of-service attack. Workaround: Do not use custom error messages, or disable the File Descriptor Table by using the "FDT off" directive in the server configuration file (see http://monkey-project.com/documentation/1.5/configuration/server.html#fdt). Affected versions: <= v1.5.2 Fixed version: v1.5.3 Fix: https://github.com/monkey/monkey/commit/b2d0e6f92310bb14a15aa2f8e96e1fb5379776dd Release notes: http://monkey-project.com/Announcements/v1.5.3 Reported by: Matthew Daley Please let me know if you need any further information. Thanks, - Matthew Daley
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.