[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Announce/Security Advisory] monit 4.1.1 released

From: Andreas Rust
Subject: Re: [Announce/Security Advisory] monit 4.1.1 released
Date: Tue, 25 Nov 2003 11:40:00 +0100

Hello all,

I just started upgrading monit on my servers and recognized that, esp. with these
vulnerabilities in mind, it may be a good idea to NOT tell the version of
Monit on failed httpd authorization requests.

Whenever you abort the http auth request there comes:


You are not authorized to access monit. Either you supplied the wrong credentials (e.g. bad password), or your browser doesn't understand how to supply the credentials required

<>monit 4.1-beta3

Where the last link should probably only be named Monit ... hm ?

Apache for instance doesn't tell anything on such failed queries.


-- Vulnerability 1: Long http method stack overflow

-- Vulnerability 2: Denial of Service via negative Content-Length field

    Andreas Rust     -   webnova GmbH
    address@hidden  -
    Tel:  +49 (0)234 - 912 96 10
    Fax:  +49 (0)234 - 912 96 15
      Internet Solutions & Creative Design

reply via email to

[Prev in Thread] Current Thread [Next in Thread]