CVE-2006-6104

Description

The System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in Mono does not properly verify local pathnames, which allows remote attackers to (1) read source code by appending a space (%20) to a URI, and (2) read credentials via a request for Web.Config%20.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2092

http://www.vupen.com/english/advisories/2006/5099

http://www.ubuntu.com/usn/usn-397-1

http://www.securityfocus.com/archive/1/454962/100/0/threaded

http://www.mandriva.com/security/advisories?name=MDKSA-2006:234

http://securitytracker.com/id?1017430

http://securityreason.com/securityalert/2082

http://security.gentoo.org/glsa/glsa-200701-12.xml

http://secunia.com/advisories/23779

http://secunia.com/advisories/23776

http://secunia.com/advisories/23727

http://secunia.com/advisories/23597

http://secunia.com/advisories/23462

http://secunia.com/advisories/23435

http://lists.suse.com/archive/suse-security-announce/2007-Jan/0002.html

http://fedoranews.org/cms/node/2401

http://fedoranews.org/cms/node/2400

Details

Source: Mitre, NVD

Risk Information

CVSS v2

CVSS v3

EPSS