Vulnerabilities > CVE-2006-6104 - Information Disclosure vulnerability in Mono XSP 1.1/1.2.1/2.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in Mono does not properly verify local pathnames, which allows remote attackers to (1) read source code by appending a space (%20) to a URI, and (2) read credentials via a request for Web.Config%20.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Exploit-Db
| description | Mono XSP 1.x/2.0 Source Code Information Disclosure Vulnerability. CVE-2006-6104. Remote exploit for linux platform |
| id | EDB-ID:29302 |
| last seen | 2016-02-03 |
| modified | 2006-12-20 |
| published | 2006-12-20 |
| reporter | jose.palanco |
| source | https://www.exploit-db.com/download/29302/ |
| title | Mono XSP 1.x/2.0 Source Code Information Disclosure Vulnerability |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-234.NASL description XSP (the Mono ASP.NET server) is vulnerable to source disclosure attack which allow a malicious user to obtain the source code of the server-side application. This vulnerability grants the attacker deeper knowledge of the Web application logic. Updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 24617 published 2007-02-18 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/24617 title Mandrake Linux Security Advisory : mono (MDKSA-2006:234) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2006:234. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(24617); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2006-6104"); script_bugtraq_id(21687); script_xref(name:"MDKSA", value:"2006:234"); script_name(english:"Mandrake Linux Security Advisory : mono (MDKSA-2006:234)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "XSP (the Mono ASP.NET server) is vulnerable to source disclosure attack which allow a malicious user to obtain the source code of the server-side application. This vulnerability grants the attacker deeper knowledge of the Web application logic. Updated packages have been patched to correct this issue." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:jay"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64mono0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64mono0-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libmono-runtime"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libmono0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libmono0-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mono"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mono-data-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mono-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"patch_publication_date", value:"2006/12/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.0", reference:"jay-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", cpu:"x86_64", reference:"lib64mono0-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", cpu:"x86_64", reference:"lib64mono0-devel-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"libmono-runtime-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"libmono0-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"libmono0-devel-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"mono-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"mono-data-sqlite-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"mono-doc-1.1.17.1-5.2mdv2007.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2007-067.NASL description A security problem was found and fixed in mono class libraries that affects the Mono web server implementation. By appending spaces to URLs attackers could download the source code of ASP.net scripts that would normally get executed by the web server. After upgrading the packages you need to restart any running mono web server. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 24197 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24197 title Fedora Core 6 : mono-1.1.17.1-4.fc6 (2007-067) NASL family CGI abuses NASL id MONO_XSP_SOURCE_DISCLOSURE.NASL description The remote host is running Mono XSP, a lightweight web server for hosting ASP.NET applications. The version of Mono XSP installed on the remote Windows host fails to properly validate filename extensions in URLs. A remote attacker may be able to leverage this issue to disclose the source of scripts hosted by the affected application using specially crafted requests with URL-encoded space characters. last seen 2020-06-01 modified 2020-06-02 plugin id 23934 published 2006-12-23 reporter This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/23934 title Mono XSP for ASP.NET Server Crafted Request Script Source Code Disclosure NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-397-1.NASL description Jose Ramon Palanco discovered that the mono System.Web class did not consistently verify local file paths. As a result, the source code for mono web applications could be retrieved remotely, possibly leading to further compromise via the application last seen 2020-06-01 modified 2020-06-02 plugin id 27983 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27983 title Ubuntu 6.06 LTS / 6.10 : mono vulnerability (USN-397-1) NASL family Fedora Local Security Checks NASL id FEDORA_2007-068.NASL description A security problem was found and fixed in mono class libraries that affects the Mono web server implementation. By appending spaces to URLs attackers could download the source code of ASP.net scripts that would normally get executed by the web server. After upgrading the packages you need to restart any running mono web server. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 24198 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24198 title Fedora Core 5 : mono-1.1.13.7-3.fc5.1 (2007-068) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200701-12.NASL description The remote host is affected by the vulnerability described in GLSA-200701-12 (Mono: Information disclosure) Jose Ramon Palanco has discovered that the System.Web class in the XSP for the ASP.NET server 1.1 through 2.0 in Mono does not properly validate or sanitize local pathnames which could allow server-side file content disclosure. Impact : An attacker could append a space character to a URI and obtain unauthorized access to the source code of server-side files. An attacker could also read credentials by requesting Web.Config%20 from a Mono server. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 24210 published 2007-01-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24210 title GLSA-200701-12 : Mono: Information disclosure
Oval
| accepted | 2007-12-10T04:00:05.181-05:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| description | The System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in Mono does not properly verify local pathnames, which allows remote attackers to (1) read source code by appending a space (%20) to a URI, and (2) read credentials via a request for Web.Config%20. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:2092 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| submitted | 2007-08-09T08:17:54 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| title | mono-web ASP.net sourcecode disclosure | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| version | 39 |
References
- http://fedoranews.org/cms/node/2400
- http://fedoranews.org/cms/node/2401
- http://lists.suse.com/archive/suse-security-announce/2007-Jan/0002.html
- http://secunia.com/advisories/23432
- http://secunia.com/advisories/23435
- http://secunia.com/advisories/23462
- http://secunia.com/advisories/23597
- http://secunia.com/advisories/23727
- http://secunia.com/advisories/23776
- http://secunia.com/advisories/23779
- http://security.gentoo.org/glsa/glsa-200701-12.xml
- http://securityreason.com/securityalert/2082
- http://securitytracker.com/id?1017430
- http://www.eazel.es/advisory007-mono-xsp-source-disclosure-vulnerability.html
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:234
- http://www.securityfocus.com/archive/1/454962/100/0/threaded
- http://www.securityfocus.com/bid/21687
- http://www.ubuntu.com/usn/usn-397-1
- http://www.vupen.com/english/advisories/2006/5099
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2092