CVE request / advisory: Monkey web server <= v1.5.2

[Matthew Daley <mattd () bugfuzz com>]

Hi,

I'd like to request a CVE ID for this issue. It was found in software
from the Monkey Project (monkey-project.com), which develop the
open-source Monkey Web Server.

This is the first such request and the issue is (now) public; this
message serves as an advisory as well.

Affected software: Monkey Web Server
Description: When the File Descriptor Table (FDT) mechanism is enabled
(the default setting), any HTTP requests that result in a custom error
message being returned cause a file descriptor (to the custom error
message content file) to be leaked. An attacker can therefore
repeatedly send such requests so as to leak a large number of
descriptors. Eventually, the server will reach the OS-enforced
per-process limit on the amount of open file descriptors (as given by
`ulimit -n`). From this point on, and until the server is restarted,
any request that requires the opening of another file in order to be
handled will fail; even valid requests from other parties for normal
files will fail with an HTTP 403 error. This is a simple
denial-of-service attack.
Workaround: Do not use custom error messages, or disable the File
Descriptor Table by using the "FDT off" directive in the server
configuration file (see
http://monkey-project.com/documentation/1.5/configuration/server.html#fdt).
Affected versions: <= v1.5.2
Fixed version: v1.5.3
Fix: https://github.com/monkey/monkey/commit/b2d0e6f92310bb14a15aa2f8e96e1fb5379776dd
Release notes: http://monkey-project.com/Announcements/v1.5.3
Reported by: Matthew Daley

Please let me know if you need any further information.

Thanks,

- Matthew Daley