oss-sec mailing list archives

CVE Request: XSS in a Mono System.web error page

From: Marcus Meissner <meissner () suse de>
Date: Sat, 7 Jul 2012 00:21:40 +0200

Hi,

A Nessus scan of a Novell product using Mono Web revealed a XSS attack
in the Mono System.Web library.

The Mono team commited a fix to their GIT.

References:
        https://bugzilla.novell.com/show_bug.cgi?id=769799
        https://github.com/mono/mono/commit/d16d4623edb210635bec3ca3786481b82cde25a2

The XSS is in the error popup of the "Forbidden extension" filter method,
which filters out e.g. ".dll" files.

Ciao, Marcus

Current thread:

CVE Request: XSS in a Mono System.web error page Marcus Meissner (Jul 06)
- Re: CVE Request: XSS in a Mono System.web error page Kurt Seifried (Jul 06)