| VID |
22428 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Mono XSP Server is vulnerable to a source disclosure vulnerability via an HTTP request that ends in '%20'. Mono XSP ASP.NET Server is a lightweight web server for hosting ASP.NET applications. The System.Web class in the Mono XSP ASP.NET Server versions 1.1 through to 2.0 could allow a remote attacker to view the source code of a requested file by appending "%20" to the end of the URL.
* References:
http://www.mono-project.com/news/archive/2006/Dec-20.html
http://www.eazel.es/advisory007-mono-xsp-source-disclosure-vulnerability.html
http://www.securityfocus.com/archive/1/454962/30/0/threaded
http://secunia.com/advisories/23432/
* Platforms Affected:
ASP.NET, Mono XSP ASP.NET Server versions 1.1 through to 2.0
Any operating system Any version |
| Recommendation |
For SUSE Linux:
Apply the appropriate fixed packages of mono-web, as listed in SUSE Security Announcement SUSE-SA:2007:002 at http://lists.suse.com/archive/suse-security-announce/2007-Jan/0002.html
For Mandriva Linux:
Upgrade to a fixed package version of mono web, as listed in Mandriva Security Advisory MDKSA-2006:234 at http://www.mandriva.com/security/advisories?name=MDKSA-2006:234
For Ubuntu Linux:
Upgrade to a fixed package version of mono web, as listed in Ubuntu Security Notice USN-397-1 at http://www.ubuntu.com/usn/usn-397-1
For other distributions:
No upgrade or patch available as of January 2007.
Upgrade to a fixed version of Mono XSP ASP.NET Server, when new fixed version becomes available from the Mono Project Download Web page at http://www.mono-project.com/Downloads
As a workaround, apply the unofficial patch, available from the subversion revision 68776 at http://www.eazel.es/advisory007-mono-xsp-source-disclosure-vulnerability.patch |
| Related URL |
CVE-2006-6104 (CVE) |
| Related URL |
21687 (SecurityFocus) |
| Related URL |
31010 (ISS) |
|
