Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    MonkeyWeb POST with too much data

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Hey guys,

      I couldn't find anything about this issue but I did some vulnerability scanning on my pfsense router/firewall and it came back with: "Your web server crashes when it receives a POST command with too much data, it may be possible to make this web server execute arbitrary code."

      Now, this is true since I couldn't log into the web GUI after this scan was run.

      How is this fixable or is it a false positive?

      it says that to fix you have to simply upgrade your web server…

      Thanks!

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        That's a 13 year old vulnerability in "MonkeyWeb", which has nothing to do with anything actually running on your box. The exploit doesn't hurt anything here.
        http://downloads.securityfocus.com/vulnerabilities/exploits/monkey-nuke.pl

        It's a false positive as far as being vulnerable to that in particular, as that web server doesn't exist.

        That might be triggering a lighttpd crash from issues in the version used in 2.2.6, but it's just a crash with no security impact. If you run 'pkg install lighttpd' at a command prompt and reboot, then test again, does it do the same? That crash is confirmed fixed in the latest lighttpd, but might not be related. I haven't really dug into it since we ditched lighttpd for nginx in 2.3.

        What scanning tool are you using?

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Oh ok thanks a lot for your response!

          I'll try to update the lighttpd and see if it still crashes after that.

          I'll post back with results soon, thanks again!

          1 Reply Last reply Reply Quote 0
          • ?
            A Former User
            last edited by

            So I finally got around to doing that command but it doesn't work and gives an error: pkg: failed to extract pkg-static: Can't create '/usr/local/sbin/pkg-static

            1 Reply Last reply Reply Quote 0
            • D
              divsys
              last edited by

              Since your original post pfSense 2.3 has reached Release status.

              As Chris suggested, it's probably a good idea to upgrade.
              2.3 has dropped lighttpd in favour of nginx and will be the way forward.

              The upgrade has been good for many (most?) including 12 of my own boxes so far.

              I highly suggest you give it a try.

              -jfp

              1 Reply Last reply Reply Quote 0
              • ?
                A Former User
                last edited by

                Hmm ok sounds good!

                Thanks for the information, I've done the upgrade on my machine but I think it borked the box since most of my services or stopped and it still says "packages are being installed do not make any changes to the GUI".

                I might just have to do a fresh install which doesn't matter really since I backed up my config but it's strange that the upgrade didn't work.

                Thanks again!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.