Bugzilla – Bug 769799
VUL-0: CVE-2012-3382: mono-web: XSS in blocked list error handling
Last modified: 2015-11-04 12:45:46 UTC
Found by a Nessus Scan against SLES 11 SP2 with Mono ASP.NET. Nessus Report: ============= Plugin id: 10815 Plugin Name: Web Server Generic XSS Port/service: www(80/tcp) Synopsis The remote web server is prone to cross-site scripting attacks. Description The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. Risk Factor Medium CVSS Base Score 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) CVSS Temporal Score 3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N) The request string used to detect this flaw was : /cgi-bin/<IMG%20SRC="javascript:alert(cross_site_scripting.nasl);">.dll The output was : HTTP/1.1 403 Forbidden Date: Wed, 28 Mar 2012 09:18:37 GMT Server: Apache/2.2.12 (Linux/SUSE) X-AspNet-Version: 2.0.50727 Content-Length: 1782 Cache-Control: private Keep-Alive: timeout=15, max=57 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 .expandable { text-decoration:underline; font-weight:bold; color:n [...] <p><strong>Description: </strong>HTTP 403. The type of page you ha [...] <p><strong>Requested URL: </strong>/cgi-bin/<IMG SRC="javascript:alert(c ross_site_scripting.nasl);">.dll</p> </body></html>
This message comes out of mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in mono-2.6.7 req.Path is not quoted. Also VirtualPathUtility.GetExtension(path) is not quoted other places in System.Web wrap these with HttpUtility.HtmlEncode(...) So HttpForbiddenHandler.cs also needs the escaping.
bugbot adjusting priority
Fixed in master/d16d462 and mono-2-10/5c61004 https://github.com/mono/mono/commit/d16d4623edb210635bec3ca3786481b82cde25a2
CVE-2012-3382
The SWAMPID for this issue is 48165. This issue was rated as moderate. Please submit fixed packages until 2012-07-23. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
sles10 mono-core does not have the relevant code in the HttpForbidden code. sle11-sp1 neither (mono 2.0.1) only sle11-sp2 (and openSUSE) have the more detailed errormessage leading to the problem (sle11 sp 2with mono-core 2.6.7).
please also merge fix for bug 746208 into the submission.
Marcus! also submit opensuse packages!
Update released for: bytefx-data-mysql, ibm-data-db2, mono-complete, mono-core, mono-core-debuginfo, mono-core-debugsource, mono-data, mono-data-firebird, mono-data-oracle, mono-data-postgresql, mono-data-sqlite, mono-data-sybase, mono-devel, mono-extras, mono-jscript, mono-locale-extras, mono-nunit, mono-wcf, mono-web, mono-winforms, mono-winfxcore, monodoc-core Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
openSUSE-SU-2012:0974-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 769799 CVE References: CVE-2012-3382 Sources used: openSUSE 12.1 (src): mono-core-2.10.6-2.4.1 openSUSE 11.4 (src): mono-core-2.8.2-0.5.1
This is an autogenerated message for OBS integration: This bug (769799) was mentioned in https://build.opensuse.org/request/show/130562 Evergreen:11.2 / mono-core
released
This is an autogenerated message for OBS integration: This bug (769799) was mentioned in https://build.opensuse.org/request/show/131221 Evergreen:11.2 / mono-core