Bugzilla – Bug 413534
VUL-0: Mono ASP.NET class library has potential XSS problem
Last modified: 2009-10-14 01:11:44 UTC
We received this report from a mono developer (is cc'ed). Please clarify. >>> On 7/27/2008 at 3:36 PM, <genericemail@novell.com> wrote: > 12-Job Title: > 13-Company: > 14-Phone: 301-990-7141 > 22-Additional: > 19-Country: United States > 11-Your Name: Dean Brettle > 17-State: CA > 16-City: Redwood City > from: dean@brettle.com > 21-Issue: Mono's ASP.NET implementation HTML-encodes most > properties/attributes, but does not encode some. As a result an unsuspecting > ASP.NET developer can inadvertently create an XSS vulnerability. > > The following properties/attributes are not encoded by Mono but are encoded > by MS' ASP.NET implementation: > > 1. HtmlSelect.Value and HtmlSelect.Text > 2. The "action" attribute of a <form> element. > > The lack of encoding for the form "action" attribute is particularly > dangerous because the default "action" is the URL used visit the page. To > see why this is a problem, change the hostname and page in the following HTML > so that they point to a page hosted by Mono and then use IE (not Firefox) to > view the HTML and follow the link: > <a > href="http://hostname/page.aspx?"onmouseover="window.alert('xss');&q > uot;">link</a> > > In addition to the above attributes, the following attributes are not > encoded by Mono or MS.NET, but should be IMO: > HtmlInputRadioButton.Value, HtmlImage.Src and HtmlInputImage.Src. I just > reported these to secure@microsoft.com. I don't know what action they will > take, but even if they choose not to fix these, I think Mono should sacrifice > strict compatibility with MS.NET to provide better security in situations > like this. > > I have commit privs for Mono SVN and have a patch for all of the above > (including unit tests). I can commit to the mono-2-0 branch and trunk, but I > need clarification on whether to encode the attributes that aren't currently > encoded by MS. > > Also, since this is a security issue I wasn't sure if you needed me to wait > until you could put out patched packages or something similar. > > I posted an earlier (incomplete) version of the patch to the mono-devel list > before I realized the security implications: > > http://lists.ximian.com/pipermail/mono-devel-list/2008-July/028633.html > > I can also email you my latest patch if it helps. > > > --Dean > 20-Product: Mono (at least 1.2, probably all versions)
The report is accurate - this is a real security threat, although not very serious in my opinion. Nevertheless, it should be treated with due diligence. Dean discussed the issue with me and he's ready to commit the fix - we just wanted to be sure we're taking the correct path for this.
Two ways: - prepare fixes before hand and have them ready for release when committed - just commit and get all the fixed packages released afterwards To decide: I understand that Microsoft C# ASP.net is also affected, right? If yes, waiting with disclosure for some time and perhaps coordinate to some degree with MS might be appropriate. If MS has a CVE for this issue, we can use also use it for Mono ASP.net, otherwise we can get a own CVE entry. => wait for MS feedback for some days (I suggest until next week).
remove novell internal, since its leaking via the QA contact mailinglist anyway.
since this was leaked via the ml, please just go ahead with committing fixes.
asked for CVE id
Committed to mono-2-0 @ 109348 and trunk @ 109349.
Committed to mono-1-9 branch, revision 109358
CVE, please use them when refering to the problem. (If the description is incorrect, we can get it adjusted.) ====================================================== Name: CVE-2008-3422 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3422 Reference: MLIST:[Mono-dev] 20080726 [PATCH] HTML encode attributes that might need encoding Reference: URL:http://lists.ximian.com/pipermail/mono-devel-list/2008-July/028633.html Reference: CONFIRM:https://bugzilla.novell.com/show_bug.cgi?id=413534 Multiple cross-site scripting (XSS) vulnerabilities in the ASP.net class libraries in Mono 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via crafted attributes related to (1) HtmlControl.cs (PreProcessRelativeReference), (2) HtmlForm.cs (RenderAttributes), (3) HtmlInputButton (RenderAttributes), (4) HtmlInputRadioButton (RenderAttributes), and (5) HtmlSelect (RenderChildren).
Anja, I need a SWAMP-ID for this issue.
MaintenanceTracker-19273
I've submitted these patches but have not seen any action on SuSE side yet.
you also need to submit for sles10 sp1 (getpac tag sles10 ) Please merge with the ifolder fix.
released now
CVE-2008-3422: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)