CVE-2006-6104 - Secunia Advisories - Vulnerability Information

CVE Reference: CVE-2006-6104
NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE: CVE-2006-6104

Description: The System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in Mono does not properly verify local pathnames, which allows remote attackers to (1) read source code by appending a space (%20) to a URI, and (2) read credentials via a request for Web.Config%20.

CVE Status: Candidate

References: UBUNTU http://www.ubuntu.com/usn/usn-397-1 SUSE http://lists.suse.com/archive/suse-security-announce/2007-Jan/0002.html ST 1017430 SREASON http://securityreason.com/securityalert/2082 SAID Secunia Advisory: SA23597 Secunia Advisory: SA23462 Secunia Advisory: SA23435 Secunia Advisory: SA23432 Secunia Advisory: SA23727 Secunia Advisory: SA23776 Secunia Advisory: SA23779 OVAL http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:2092 MISC http://www.eazel.es/advisory007-mono-xsp-source-disclosure-vulnerability.html MANDRIVA http://www.mandriva.com/security/advisories?name=MDKSA-2006:234 GENTOO http://security.gentoo.org/glsa/glsa-200701-12.xml FEDORA http://fedoranews.org/cms/node/2400 http://fedoranews.org/cms/node/2401 BUGTRAQ http://www.securityfocus.com/archive/1/archive/1/454962/100/0/threaded BID 21687

Return to the previous page.