lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20061220172611.1168.qmail@securityfocus.com>
Date: 20 Dec 2006 17:26:11 -0000
From: jose.palanco@...el.es
To: bugtraq@...urityfocus.com
Subject: Mono XSP ASP.NET Server sourcecode disclosure vulnerability

Mono XSP ASP.NET Server sourcecode disclosure vulnerability

Version:  	 Tested on mono 1.2.1
XSP for ASP.NET 1.1 and 2.0 (This is a regression as this issue didn't exists in Mono 1.0)

Discovered by: 	José Ramón Palanco: jose.palanco(at)eazel(dot)es

http://www.eazel.es

Time Line: 	

    * Nov 29, 2006: Discovered security issue by Jose Ramon Palanco
    * Nov 30, 2006: Reported to Mono Project
    * Dec 1, 2006: Patch in subversion rev 68776
    * Dec 5, 2006: Mono is testing the patch and building packages for the fix
    * Dec 19, 2006: Published advisory

Description: 	

Attackers use source code disclosure attacks to try to obtain the source code of server-side applications. The basic role of Web servers is to serve files as requested by clients. Files can be static, such as image and HTML files, or dynamic, such as ASPX, ASHX, ASCX, ASAX, webservices like ASMX files and any language supported by Mono like: C#, boo, nemerle, vb files: .cs, .boo, vb, .n, ... When the browser requests a dynamic file, the Web server first executes the file and then returns the result to the browser. Hence, dynamic files are actually code executed on the Web server.

Using a source code disclosure attack, an attacker can retrieve the source code of server-side file. Obtaining the source code of server-side files grants the attacker deeper knowledge of the logic behind the Web application, how the application handles requests and their parameters, the structure of the database, vulnerabilities in the code and source code comments. Having the source code, and possibly a duplicate application to test on, helps the attacker to prepare an attack on the application.

An attacker can cause source code disclosure using adding %20 (space char) after the uri, for example
http://www.server.com/app/Default.aspx%20

Update: is also possible retrieve Web.Config file. This file contains sensible informatin like credentials.

Original advisory:

http://www.eazel.es/advisory007-mono-xsp-source-disclosure-vulnerability.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ