CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
94.2%
The System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in Mono does not properly verify local pathnames, which allows remote attackers to (1) read source code by appending a space (%20) to a URI, and (2) read credentials via a request for Web.Config%20.
fedoranews.org/cms/node/2400
fedoranews.org/cms/node/2401
lists.suse.com/archive/suse-security-announce/2007-Jan/0002.html
secunia.com/advisories/23432
secunia.com/advisories/23435
secunia.com/advisories/23462
secunia.com/advisories/23597
secunia.com/advisories/23727
secunia.com/advisories/23776
secunia.com/advisories/23779
security.gentoo.org/glsa/glsa-200701-12.xml
securityreason.com/securityalert/2082
securitytracker.com/id?1017430
www.eazel.es/advisory007-mono-xsp-source-disclosure-vulnerability.html
www.mandriva.com/security/advisories?name=MDKSA-2006:234
www.securityfocus.com/archive/1/454962/100/0/threaded
www.securityfocus.com/bid/21687
www.ubuntu.com/usn/usn-397-1
www.vupen.com/english/advisories/2006/5099
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2092