Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Aug 2014 22:44:50 +1200
From: Matthew Daley <>
Cc:, Eduardo Silva <>
Subject: CVE request / advisory: Monkey web server <= v1.5.2


I'd like to request a CVE ID for this issue. It was found in software
from the Monkey Project (, which develop the
open-source Monkey Web Server.

This is the first such request and the issue is (now) public; this
message serves as an advisory as well.

Affected software: Monkey Web Server
Description: When the File Descriptor Table (FDT) mechanism is enabled
(the default setting), any HTTP requests that result in a custom error
message being returned cause a file descriptor (to the custom error
message content file) to be leaked. An attacker can therefore
repeatedly send such requests so as to leak a large number of
descriptors. Eventually, the server will reach the OS-enforced
per-process limit on the amount of open file descriptors (as given by
`ulimit -n`). From this point on, and until the server is restarted,
any request that requires the opening of another file in order to be
handled will fail; even valid requests from other parties for normal
files will fail with an HTTP 403 error. This is a simple
denial-of-service attack.
Workaround: Do not use custom error messages, or disable the File
Descriptor Table by using the "FDT off" directive in the server
configuration file (see
Affected versions: <= v1.5.2
Fixed version: v1.5.3
Release notes:
Reported by: Matthew Daley

Please let me know if you need any further information.


- Matthew Daley

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.