Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2006-12-07 02:45:53 UTC

Created attachment 103527 [details, diff]
mono-system.web_fix_r68790.patch

Patch from SUSE.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) 2006-12-07 02:45:59 UTC

Created attachment 103528 [details, diff]
mono-system.web_security_fix2_r69049.patch

Patch from SUSE.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) 2006-12-22 01:02:16 UTC

Description:
Attackers use source code disclosure attacks to try to obtain the source code of server-side applications. The basic role of Web servers is to serve files as requested by clients. Files can be static, such as image and HTML files, or dynamic, such as ASPX, ASHX, ASCX, ASAX, webservices like ASMX files and any language supported by Mono like: C#, boo, nemerle, vb files: .cs, .boo, vb, .n, ... When the browser requests a dynamic file, the Web server first executes the file and then returns the result to the browser. Hence, dynamic files are actually code executed on the Web server.
Using a source code disclosure attack, an attacker can retrieve the source code of server-side file. Obtaining the source code of server-side files grants the attacker deeper knowledge of the logic behind the Web application, how the application handles requests and their parameters, the structure of the database, vulnerabilities in the code and source code comments. Having the source code, and possibly a duplicate application to test on, helps the attacker to prepare an attack on the application.
An attacker can cause source code disclosure using adding %20 (space char) after the uri, for example
http://www.server.com/app/Default.aspx%20

Update: is also possible retrieve Web.Config file. This file contains sensible informatin like credentials. 

Comment 4 Jurek Bartuszek (RETIRED) 2006-12-22 15:27:20 UTC

I'll take care of that soon. Please update the URL you provided because now it shows "Page Not Found".

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) 2006-12-23 04:11:20 UTC

Thx Jurek.

The URL works fine here... just checked.

Please comment on the bug once you commit an updated ebuild.

Comment 6 Jurek Bartuszek (RETIRED) 2006-12-23 09:26:25 UTC

Just noticed: this patch is against dev-lang/mono (System.Web.HttpRequest), not dev-dotnet/xsp. I'll poke latexer to include the patches ASAP. 

Comment 7 Jurek Bartuszek (RETIRED) 2006-12-23 14:50:30 UTC

*** Bug 158935 has been marked as a duplicate of this bug. ***

Comment 8 Raphael Marichez (Falco) (RETIRED) 2007-01-12 22:45:36 UTC

Jurek, Latexer, someone?

Comment 9 Matthias Geerdsen (RETIRED) 2007-03-16 15:28:03 UTC

dotnet, any news here?

Comment 10 Jurek Bartuszek (RETIRED) 2007-04-04 22:28:22 UTC

This problem has been fixed in 1.2.2.1 which is already marked stable for some time.

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) 2007-04-11 10:44:50 UTC

Thx for the update Jurek. Next time please don't close security bugs though :)