An attacker can cause source code disclosure using adding %20 (space char) after the uri, for example http://www.server.com/app/Default.aspx%20 The Mono project is testing/building packages for the fix. Credits: www.eazel.es
Created attachment 103527 [details, diff] mono-system.web_fix_r68790.patch Patch from SUSE.
Created attachment 103528 [details, diff] mono-system.web_security_fix2_r69049.patch Patch from SUSE.
Description: Attackers use source code disclosure attacks to try to obtain the source code of server-side applications. The basic role of Web servers is to serve files as requested by clients. Files can be static, such as image and HTML files, or dynamic, such as ASPX, ASHX, ASCX, ASAX, webservices like ASMX files and any language supported by Mono like: C#, boo, nemerle, vb files: .cs, .boo, vb, .n, ... When the browser requests a dynamic file, the Web server first executes the file and then returns the result to the browser. Hence, dynamic files are actually code executed on the Web server. Using a source code disclosure attack, an attacker can retrieve the source code of server-side file. Obtaining the source code of server-side files grants the attacker deeper knowledge of the logic behind the Web application, how the application handles requests and their parameters, the structure of the database, vulnerabilities in the code and source code comments. Having the source code, and possibly a duplicate application to test on, helps the attacker to prepare an attack on the application. An attacker can cause source code disclosure using adding %20 (space char) after the uri, for example http://www.server.com/app/Default.aspx%20 Update: is also possible retrieve Web.Config file. This file contains sensible informatin like credentials.
I'll take care of that soon. Please update the URL you provided because now it shows "Page Not Found".
Thx Jurek. The URL works fine here... just checked. Please comment on the bug once you commit an updated ebuild.
Just noticed: this patch is against dev-lang/mono (System.Web.HttpRequest), not dev-dotnet/xsp. I'll poke latexer to include the patches ASAP.
*** Bug 158935 has been marked as a duplicate of this bug. ***
Jurek, Latexer, someone?
dotnet, any news here?
This problem has been fixed in 1.2.2.1 which is already marked stable for some time.
Thx for the update Jurek. Next time please don't close security bugs though :)