CVE-2006-6104 – Mono XSP 1.x/2.0 - Source Code Information Disclosure

https://notcve.org/view.php?id=CVE-2006-6104

The System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in Mono does not properly verify local pathnames, which allows remote attackers to (1) read source code by appending a space (%20) to a URI, and (2) read credentials via a request for Web.Config%20. La clase System.Web del XSP para el servidor ASP.NET desde la versión 1.1 hasta la 2.0 en Mono no verifica apropiadamente los nombres de rutas locales, lo cual permite a atacantes remotos (1)leer el código fuente añadiendo un espacio (%20) a la URI y (2) leer las credenciales mediante una petición al Web.Config%20. • https://www.exploit-db.com/exploits/29302 http://fedoranews.org/cms/node/2400 http://fedoranews.org/cms/node/2401 http://lists.suse.com/archive/suse-security-announce/2007-Jan/0002.html http://secunia.com/advisories/23432 http://secunia.com/advisories/23435 http://secunia.com/advisories/23462 http://secunia.com/advisories/23597 http://secunia.com/advisories/23727 http://secunia.com/advisories/23776 http://secunia.com/advisories/23779 http://security.gentoo.org/glsa •