MonkeyWeb POST with too much data



  • Hey guys,

    I couldn't find anything about this issue but I did some vulnerability scanning on my pfsense router/firewall and it came back with: "Your web server crashes when it receives a POST command with too much data, it may be possible to make this web server execute arbitrary code."

    Now, this is true since I couldn't log into the web GUI after this scan was run.

    How is this fixable or is it a false positive?

    it says that to fix you have to simply upgrade your web server…

    Thanks!



  • That's a 13 year old vulnerability in "MonkeyWeb", which has nothing to do with anything actually running on your box. The exploit doesn't hurt anything here.
    http://downloads.securityfocus.com/vulnerabilities/exploits/monkey-nuke.pl

    It's a false positive as far as being vulnerable to that in particular, as that web server doesn't exist.

    That might be triggering a lighttpd crash from issues in the version used in 2.2.6, but it's just a crash with no security impact. If you run 'pkg install lighttpd' at a command prompt and reboot, then test again, does it do the same? That crash is confirmed fixed in the latest lighttpd, but might not be related. I haven't really dug into it since we ditched lighttpd for nginx in 2.3.

    What scanning tool are you using?



  • Oh ok thanks a lot for your response!

    I'll try to update the lighttpd and see if it still crashes after that.

    I'll post back with results soon, thanks again!



  • So I finally got around to doing that command but it doesn't work and gives an error: pkg: failed to extract pkg-static: Can't create '/usr/local/sbin/pkg-static



  • Since your original post pfSense 2.3 has reached Release status.

    As Chris suggested, it's probably a good idea to upgrade.
    2.3 has dropped lighttpd in favour of nginx and will be the way forward.

    The upgrade has been good for many (most?) including 12 of my own boxes so far.

    I highly suggest you give it a try.



  • Hmm ok sounds good!

    Thanks for the information, I've done the upgrade on my machine but I think it borked the box since most of my services or stopped and it still says "packages are being installed do not make any changes to the GUI".

    I might just have to do a fresh install which doesn't matter really since I backed up my config but it's strange that the upgrade didn't work.

    Thanks again!


Log in to reply