[Mono-aspnet-list] asp.net applications allow parent directory access
grendel at twistedcode.net
Tue May 26 06:06:33 EDT 2009
> I've recently installed mod_mono and while playing around a bit I discovered
> that I could view any file on the server with a simple <!--include file-->
> directive. Is there a way to stop this behavior? I know in windows IIS
> this is called "parent paths" and is disabled by default.
It's just not allowed. Indeed, it was a bug in Mono to allow it. I've just fixed the issue in
revisions 134747 (for trunk) and 134748 (for the 2.4 branch).
> I've also disabled mod_mono and tried the same include directive using SSI
> (.shtml) and it stops the activity. I believe it said that there was an
> error with the directive, which is good.
> I was planning on offering mod_mono to my clients but with this kind of
> behavior, any client could view the passwd file, traverse users directories,
> and gank any php/asp scripts stealing database passwords and all kinds of
> valuable information.
Well, it wouldn't be that grave as they would see a parsing error with few lines surrounding the
line with the "error" (and only if the application would run in debug mode), but yes, I agree it was
a serious bug in Mono.
> Any help would be appreciated.
The fix will become part of Mono 2.4.1 and later. In the meantime, you can grab the 2.4 (NOT 2.4.0,
though) branch from our subversion repository, compile it and either install all of it to replace
your current mono or just copy System.Web.dll to your old Mono's GAC.
regards and thanks for the heads-up
More information about the Mono-aspnet-list