[UNIX] Mono XSP ASP.NET Server Source Code Disclosure Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 21 Dec 2006 17:16:51 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Mono XSP ASP.NET Server Source Code Disclosure Vulnerability
------------------------------------------------------------------------
SUMMARY
A vulnerability in Mono's XSP ASP.NET Server allows remote attacker to
cause the program to reveal the source code of the files being requested.
DETAILS
Vulnerable Systems:
* Mono version 1.2.1
* XSP for ASP.NET version 1.1 and version 2.0
Attackers can use source code disclosure attacks to try to obtain the
source code of server-side applications. The basic role of Web servers is
to serve files as requested by clients. Files can be static, such as image
and HTML files, or dynamic, such as ASPX, ASHX, ASCX, ASAX, webservices
like ASMX files and any language supported by Mono like: C#, boo, nemerle,
vb files: .cs, .boo, vb, .n, ... When the browser requests a dynamic file,
the Web server first executes the file and then returns the result to the
browser. Hence, dynamic files are actually code executed on the Web
server.
Using a source code disclosure attack, an attacker can retrieve the source
code of server-side file. Obtaining the source code of server-side files
grants the attacker deeper knowledge of the logic behind the Web
application, how the application handles requests and their parameters,
the structure of the database, vulnerabilities in the code and source code
comments. Having the source code, and possibly a duplicate application to
test on, helps the attacker to prepare an attack on the application.
An attacker can cause source code disclosure using adding %20 (space char)
after the URI, for example http://www.server.com/app/Default.aspx%20
Update: is also possible retrieve Web.Config file. This file contains
sensible information like credentials.
Workaround:
A temporary patch can be found at:
<http://www.eazel.es/advisory007-mono-xsp-source-disclosure-vulnerability.patch> http://www.eazel.es/advisory007-mono-xsp-source-disclosure-vulnerability.patch
Time Line:
* Nov 29, 2006: Discovered security issue by Jose Ramon Palanco
* Nov 30, 2006: Reported to Mono Project
* Dec 1, 2006: Patch in subversion rev 68776
* Dec 5, 2006: Mono is testing the patch and building packages for the
fix
* Dec 19, 2006: Published advisory
ADDITIONAL INFORMATION
The information has been provided by <mailto:jose.palanco@xxxxxxxx> Jose
Ramon Palanco.
The original article can be found at:
<http://www.eazel.es/advisory007-mono-xsp-source-disclosure-vulnerability.html> http://www.eazel.es/advisory007-mono-xsp-source-disclosure-vulnerability.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [EXPL] Hewlett-Packard FTP Print Server Buffer Overflow (PoC)
- Next by Date: [NEWS] NOD32 Antivirus DOC parsing Arbitrary Code Execution Advisory
- Previous by thread: [EXPL] Hewlett-Packard FTP Print Server Buffer Overflow (PoC)
- Next by thread: [NEWS] NOD32 Antivirus DOC parsing Arbitrary Code Execution Advisory
- Index(es):
Relevant Pages
- [NT] Multiple Vulnerabilities in WWW Fileshare Pro
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Share Pro that allow an attacker
to write arbitrary files, ... server, ... The program has an option enabled by default
that lets people to upload ... (Securiteam) - [NT] Citrix Neighborhood Agent Buffer Overflow and Arbitrary Shortcut Creation
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Server Client and facilitates
access to Citrix published applications. ... an attacker must determine the length of the
... (Securiteam) - [NT] Qualcomm WorldMail IMAP Server String Literal Processing Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Qualcomm WorldMail IMAP Server
String Literal Processing Overflow ... Remote exploitation of a buffer overflow vulnerability
in Qualcomm ... In order to trigger this overflow, an attacker only needs to send a long
... (Securiteam) - [NEWS] Star Wars Jedi Knight: Jedi Academy Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A buffer overflow in the Star
Wars Jedi Knight: Jedi Academy server allows ... a remote attacker to cause it execute
arbitrary code. ... (Securiteam) - [UNIX] phpSysInfo Multiple Vulnerabilities (HTTP_ACCEPT_LANGUAGE, sensor_program, VERSION, charset)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities have
been discovered in phpSysInfo allowing ... the attacker to additionally inject the
$lng parameter. ... $sensor_program can *still* be used to inject active ... (Securiteam)
