Vulnerabilities > CVE-2006-6104 - Unspecified vulnerability in Mono XSP 1.1/1.2.1/2.0

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
mono
nessus
exploit available

Summary

The System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in Mono does not properly verify local pathnames, which allows remote attackers to (1) read source code by appending a space (%20) to a URI, and (2) read credentials via a request for Web.Config%20.

Vulnerable Configurations

Part Description Count
Application
Mono
3

Exploit-Db

descriptionMono XSP 1.x/2.0 Source Code Information Disclosure Vulnerability. CVE-2006-6104. Remote exploit for linux platform
idEDB-ID:29302
last seen2016-02-03
modified2006-12-20
published2006-12-20
reporterjose.palanco
sourcehttps://www.exploit-db.com/download/29302/
titleMono XSP 1.x/2.0 Source Code Information Disclosure Vulnerability

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-234.NASL
    descriptionXSP (the Mono ASP.NET server) is vulnerable to source disclosure attack which allow a malicious user to obtain the source code of the server-side application. This vulnerability grants the attacker deeper knowledge of the Web application logic. Updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id24617
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/24617
    titleMandrake Linux Security Advisory : mono (MDKSA-2006:234)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2006:234. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24617);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:48");
    
      script_cve_id("CVE-2006-6104");
      script_bugtraq_id(21687);
      script_xref(name:"MDKSA", value:"2006:234");
    
      script_name(english:"Mandrake Linux Security Advisory : mono (MDKSA-2006:234)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "XSP (the Mono ASP.NET server) is vulnerable to source disclosure
    attack which allow a malicious user to obtain the source code of the
    server-side application. This vulnerability grants the attacker deeper
    knowledge of the Web application logic.
    
    Updated packages have been patched to correct this issue."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:jay");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64mono0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64mono0-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libmono-runtime");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libmono0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libmono0-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mono");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mono-data-sqlite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mono-doc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/12/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2007.0", reference:"jay-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"x86_64", reference:"lib64mono0-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"x86_64", reference:"lib64mono0-devel-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"libmono-runtime-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"libmono0-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"libmono0-devel-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"mono-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"mono-data-sqlite-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"mono-doc-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2007-067.NASL
    descriptionA security problem was found and fixed in mono class libraries that affects the Mono web server implementation. By appending spaces to URLs attackers could download the source code of ASP.net scripts that would normally get executed by the web server. After upgrading the packages you need to restart any running mono web server. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24197
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24197
    titleFedora Core 6 : mono-1.1.17.1-4.fc6 (2007-067)
  • NASL familyCGI abuses
    NASL idMONO_XSP_SOURCE_DISCLOSURE.NASL
    descriptionThe remote host is running Mono XSP, a lightweight web server for hosting ASP.NET applications. The version of Mono XSP installed on the remote Windows host fails to properly validate filename extensions in URLs. A remote attacker may be able to leverage this issue to disclose the source of scripts hosted by the affected application using specially crafted requests with URL-encoded space characters.
    last seen2020-06-01
    modified2020-06-02
    plugin id23934
    published2006-12-23
    reporterThis script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/23934
    titleMono XSP for ASP.NET Server Crafted Request Script Source Code Disclosure
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-397-1.NASL
    descriptionJose Ramon Palanco discovered that the mono System.Web class did not consistently verify local file paths. As a result, the source code for mono web applications could be retrieved remotely, possibly leading to further compromise via the application
    last seen2020-06-01
    modified2020-06-02
    plugin id27983
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27983
    titleUbuntu 6.06 LTS / 6.10 : mono vulnerability (USN-397-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2007-068.NASL
    descriptionA security problem was found and fixed in mono class libraries that affects the Mono web server implementation. By appending spaces to URLs attackers could download the source code of ASP.net scripts that would normally get executed by the web server. After upgrading the packages you need to restart any running mono web server. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24198
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24198
    titleFedora Core 5 : mono-1.1.13.7-3.fc5.1 (2007-068)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200701-12.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200701-12 (Mono: Information disclosure) Jose Ramon Palanco has discovered that the System.Web class in the XSP for the ASP.NET server 1.1 through 2.0 in Mono does not properly validate or sanitize local pathnames which could allow server-side file content disclosure. Impact : An attacker could append a space character to a URI and obtain unauthorized access to the source code of server-side files. An attacker could also read credentials by requesting Web.Config%20 from a Mono server. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id24210
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24210
    titleGLSA-200701-12 : Mono: Information disclosure

Oval

accepted2007-12-10T04:00:05.181-05:00
classvulnerability
contributors
  • nameThomas R. Jones
    organizationMaitreya Security
  • nameNicholas Hansen
    organizationHewlett-Packard
  • nameNicholas Hansen
    organizationHewlett-Packard
  • nameNicholas Hansen
    organizationHewlett-Packard
  • nameJeff Cheng
    organizationHewlett-Packard
  • nameJeff Cheng
    organizationHewlett-Packard
  • nameJeff Cheng
    organizationHewlett-Packard
definition_extensions
  • commentopenSUSE 10.2 is installed
    ovaloval:org.mitre.oval:def:1170
  • commentPackage bytefx-data-mysql is installed
    ovaloval:org.mitre.oval:def:315
  • commentPackage ibm-data-db2 is installed
    ovaloval:org.mitre.oval:def:633
  • commentPackage mono-basic is installed
    ovaloval:org.mitre.oval:def:646
  • commentPackage mono-core is installed
    ovaloval:org.mitre.oval:def:1616
  • commentPackage mono-core-32bit is installed
    ovaloval:org.mitre.oval:def:1233
  • commentPackage mono-data is installed
    ovaloval:org.mitre.oval:def:1717
  • commentPackage mono-data-firebird is installed
    ovaloval:org.mitre.oval:def:2212
  • commentPackage mono-data-oracle is installed
    ovaloval:org.mitre.oval:def:2227
  • commentPackage mono-data-postgresql is installed
    ovaloval:org.mitre.oval:def:2230
  • commentPackage mono-data-sqlite is installed
    ovaloval:org.mitre.oval:def:2146
  • commentPackage mono-data-sybase is installed
    ovaloval:org.mitre.oval:def:1812
  • commentPackage mono-devel is installed
    ovaloval:org.mitre.oval:def:2042
  • commentPackage mono-extras is installed
    ovaloval:org.mitre.oval:def:2175
  • commentPackage mono-jscript is installed
    ovaloval:org.mitre.oval:def:2218
  • commentPackage mono-locale-extras is installed
    ovaloval:org.mitre.oval:def:2066
  • commentPackage mono-nunit is installed
    ovaloval:org.mitre.oval:def:2125
  • commentPackage mono-web is installed
    ovaloval:org.mitre.oval:def:1554
  • commentPackage mono-winforms is installed
    ovaloval:org.mitre.oval:def:2131
  • commentSUSE Linux 10.1 is installed
    ovaloval:org.mitre.oval:def:2157
  • commentPackage bytefx-data-mysql is installed
    ovaloval:org.mitre.oval:def:315
  • commentPackage ibm-data-db2 is installed
    ovaloval:org.mitre.oval:def:633
  • commentPackage mono-basic is installed
    ovaloval:org.mitre.oval:def:646
  • commentPackage mono-core is installed
    ovaloval:org.mitre.oval:def:1616
  • commentPackage mono-core-32bit is installed
    ovaloval:org.mitre.oval:def:1233
  • commentPackage mono-data is installed
    ovaloval:org.mitre.oval:def:1717
  • commentPackage mono-data-firebird is installed
    ovaloval:org.mitre.oval:def:2212
  • commentPackage mono-data-oracle is installed
    ovaloval:org.mitre.oval:def:2227
  • commentPackage mono-data-postgresql is installed
    ovaloval:org.mitre.oval:def:2230
  • commentPackage mono-data-sqlite is installed
    ovaloval:org.mitre.oval:def:2146
  • commentPackage mono-data-sybase is installed
    ovaloval:org.mitre.oval:def:1812
  • commentPackage mono-devel is installed
    ovaloval:org.mitre.oval:def:2042
  • commentPackage mono-extras is installed
    ovaloval:org.mitre.oval:def:2175
  • commentPackage mono-jscript is installed
    ovaloval:org.mitre.oval:def:2218
  • commentPackage mono-locale-extras is installed
    ovaloval:org.mitre.oval:def:2066
  • commentPackage mono-nunit is installed
    ovaloval:org.mitre.oval:def:2125
  • commentPackage mono-web is installed
    ovaloval:org.mitre.oval:def:1554
  • commentPackage mono-winforms is installed
    ovaloval:org.mitre.oval:def:2131
  • commentSUSE Linux Enterprise Desktop 10 is installed
    ovaloval:org.mitre.oval:def:2106
  • commentSUSE Linux Enterprise Server 10 is installed
    ovaloval:org.mitre.oval:def:1368
descriptionThe System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in Mono does not properly verify local pathnames, which allows remote attackers to (1) read source code by appending a space (%20) to a URI, and (2) read credentials via a request for Web.Config%20.
familyunix
idoval:org.mitre.oval:def:2092
statusaccepted
submitted2007-08-09T08:17:54
titlemono-web ASP.net sourcecode disclosure
version39