[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Announce/Security Advisory] monit 4.1.1 released
|
From: |
Andreas Rust |
|
Subject: |
Re: [Announce/Security Advisory] monit 4.1.1 released |
|
Date: |
Tue, 25 Nov 2003 11:40:00 +0100 |
Hello all,
I just started upgrading monit on my servers and recognized that, esp. with
these
vulnerabilities in mind, it may be a good idea to NOT tell the version of
Monit on failed httpd authorization requests.
Whenever you abort the http auth request there comes:
Unauthorized
You are not authorized to access monit. Either you supplied the wrong
credentials (e.g. bad password), or your browser doesn't understand how to
supply the credentials required
----------
<http://www.tildeslash.com/monit/>monit 4.1-beta3
Where the last link should probably only be named Monit ... hm ?
Apache for instance doesn't tell anything on such failed queries.
l8r
-- Vulnerability 1: Long http method stack overflow
-- Vulnerability 2: Denial of Service via negative Content-Length field
Andreas Rust - webnova GmbH
address@hidden - www.webnova.de
Tel: +49 (0)234 - 912 96 10
Fax: +49 (0)234 - 912 96 15
+:----------------------------------------------------------:+
Internet Solutions & Creative Design