oss-sec mailing list archives

Re: Mono ASP.net cross site scripting issue

From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 31 Jul 2008 16:30:52 -0400 (EDT)


======================================================
Name: CVE-2008-3422
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3422
Reference: MLIST:[Mono-dev] 20080726 [PATCH] HTML encode attributes that might need encoding
Reference: URL:http://lists.ximian.com/pipermail/mono-devel-list/2008-July/028633.html
Reference: CONFIRM:https://bugzilla.novell.com/show_bug.cgi?id=413534

Multiple cross-site scripting (XSS) vulnerabilities in the ASP.net
class libraries in Mono 2.0 and earlier allow remote attackers to
inject arbitrary web script or HTML via crafted attributes related to
(1) HtmlControl.cs (PreProcessRelativeReference), (2) HtmlForm.cs
(RenderAttributes), (3) HtmlInputButton (RenderAttributes), (4)
HtmlInputRadioButton (RenderAttributes), and (5) HtmlSelect
(RenderChildren).

Current thread:

Mono ASP.net cross site scripting issue Marcus Meissner (Jul 31)
- Re: Mono ASP.net cross site scripting issue Steven M. Christey (Jul 31)