Re: [Announce/Security Advisory] monit 4.1.1 released

[Martin]

Hi,

i personaly think such method will not help very much. It is posible to use 
both vulnerabilities regardless of authentication. Potential attacker need not 
to know exact version before attempt - he can easily test whether the system is 
vulnerable or not directly by the attack. On the other side it is true that 
each building block helps - some users may preffer not to tell any unnecessary 
information.

My +0 vote for hiding monit version

Cheers :)
Martin


----- Původní zpráva -----
Od: Andreas Rust <address@hidden>
Datum: Úterý, 25.listopadu 2003 - 11:40 dop.
Předmět: Re: [Announce/Security Advisory] monit 4.1.1 released

> 
> Hello all,
> 
> I just started upgrading monit on my servers and recognized that, 
> esp. with 
> these
> vulnerabilities in mind, it may be a good idea to NOT tell the 
> version of
> Monit on failed httpd authorization requests.
> 
> Whenever you abort the http auth request there comes:
> 
> 
> Unauthorized
> 
> You are not authorized to access monit. Either you supplied the 
> wrong 
> credentials (e.g. bad password), or your browser doesn't understand 
> how to 
> supply the credentials required
> 
> 
> ----------
> <monit" target="l">http://www.tildeslash.com/monit/>monit 4.1-beta3
> 
> 
> 
> Where the last link should probably only be named Monit ... hm ?
> 
> Apache for instance doesn't tell anything on such failed queries.
> 
> l8r
> 
> >-- Vulnerability 1: Long http method stack overflow
> >
> >-- Vulnerability 2: Denial of Service via negative Content-Length 
> field
>     Andreas Rust     -   webnova GmbH
>     address@hidden  -   www.webnova.de
>     Tel:  +49 (0)234 - 912 96 10
>     Fax:  +49 (0)234 - 912 96 15
> +:----------------------------------------------------------:+
>       Internet Solutions & Creative Design
>