oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: XSS in a Mono System.web error page

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 06 Jul 2012 16:31:07 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/06/2012 04:21 PM, Marcus Meissner wrote:

Hi,

A Nessus scan of a Novell product using Mono Web revealed a XSS
attack in the Mono System.Web library.

The Mono team commited a fix to their GIT.

References: https://bugzilla.novell.com/show_bug.cgi?id=769799 
https://github.com/mono/mono/commit/d16d4623edb210635bec3ca3786481b82cde25a2

 The XSS is in the error popup of the "Forbidden extension" filter
method, which filters out e.g. ".dll" files.

Ciao, Marcus


Please use CVE-2012-3382 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP92crAAoJEBYNRVNeJnmT/NEP/RQhU2JTHMhkXz95QGgroEwv
/VnhcCOLeJAI0e0pjCJdHmqgfx6wJ2+Munst4M53TNtzkzCwYm4IV4HSYpNn2YTg
qAAAgGfB579WmrMuBs6FXkDCarmerq1XeGuPeHEte/Lt2ktbgtTMMWp2zAEEnoHj
6Ab6xy/e1odohJieJxp8fg1ZsksB765AhU/pTQVSY0LEKYzOmX7mcLMxntOinGP+
HqTuRa/ITr9B2YdgEJ5XbCjaUs4S9C1jsC4y/5teoI29XTBEHmw0+tMYouUJvRry
Kc2SIGhgie8uOVas9m+5c58unRq35ya73zTNIYA0lBE4F6vt+NjkpPdFDAQHMKeT
pQYyTtlT9o75gp/sQfTZWJPtYcwvxFCF928i+7lrd0gpFfa1v+38DLFgI7//oySZ
PMg3AeDIgvtSMOBRal5/VQLG7WHW7ZLpugqbPmY+BRbSqY+plHSwoAFG3XKp7S2h
OmLI6DBQMgfo/cOA2qU9DfmbJP6efWISZrjPsEOLamydV2QxqG9j28Hpu9WLFMin
47f7aAQzAs290U8ZV2bRlMsS8yGZG6ZqNKH5imrwyZQVYiEX8UdOK2irHnAtaY/U
4K8ymglnNYEO0UIF84dSL7o1kRyiMsKbMisSmCi1FhZAfDmVAh4s2HvIiObZpE/A
b1w1Zo/3EKv6Av7E1SGw
=gScU
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: