Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 18 Aug 2014 22:44:50 +1200
From: Matthew Daley <mattd@...fuzz.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org, Eduardo Silva <eduardo@...key.io>
Subject: CVE request / advisory: Monkey web server <= v1.5.2

Hi,

I'd like to request a CVE ID for this issue. It was found in software
from the Monkey Project (monkey-project.com), which develop the
open-source Monkey Web Server.

This is the first such request and the issue is (now) public; this
message serves as an advisory as well.

Affected software: Monkey Web Server
Description: When the File Descriptor Table (FDT) mechanism is enabled
(the default setting), any HTTP requests that result in a custom error
message being returned cause a file descriptor (to the custom error
message content file) to be leaked. An attacker can therefore
repeatedly send such requests so as to leak a large number of
descriptors. Eventually, the server will reach the OS-enforced
per-process limit on the amount of open file descriptors (as given by
`ulimit -n`). From this point on, and until the server is restarted,
any request that requires the opening of another file in order to be
handled will fail; even valid requests from other parties for normal
files will fail with an HTTP 403 error. This is a simple
denial-of-service attack.
Workaround: Do not use custom error messages, or disable the File
Descriptor Table by using the "FDT off" directive in the server
configuration file (see
http://monkey-project.com/documentation/1.5/configuration/server.html#fdt).
Affected versions: <= v1.5.2
Fixed version: v1.5.3
Fix: https://github.com/monkey/monkey/commit/b2d0e6f92310bb14a15aa2f8e96e1fb5379776dd
Release notes: http://monkey-project.com/Announcements/v1.5.3
Reported by: Matthew Daley

Please let me know if you need any further information.

Thanks,

- Matthew Daley

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.