[Mono-bugs] [Bug 78119][Cri] New - Malformed URIs may expose OS files

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Sat Apr 15 13:48:11 EDT 2006


Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by ivo at datamax.bg.

http://bugzilla.ximian.com/show_bug.cgi?id=78119

--- shadow/78119	2006-04-15 13:48:11.000000000 -0400
+++ shadow/78119.tmp.10036	2006-04-15 13:48:11.000000000 -0400
@@ -0,0 +1,40 @@
+Bug#: 78119
+Product: Mono: Class Libraries
+Version: unspecified
+OS: 
+OS Details: Linux 2.6.14-1.1656_FC4smp i386 GNU/Linux
+Status: NEW   
+Resolution: 
+Severity: 
+Priority: Critical
+Component: Sys.Web
+AssignedTo: gonzalo at ximian.com                            
+ReportedBy: ivo at datamax.bg               
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+URL: 
+Cc: 
+Summary: Malformed URIs may expose OS files
+
+Please fill in this template when reporting a bug, unless you know what you
+are doing.
+Description of Problem:
+
+Malformed URIs may expose any file XSP/Web server has access to.
+
+Steps to reproduce the problem:
+1. Set up a test application with cookies disabled
+2. Pad the session part of the URI with four slashes and the target file
+absolute path name (e.g. http://myhost/app1/(2001992881)////etc/passwd)
+
+Actual Results:
+
+The file content is exposed
+
+Expected Results:
+
+Bad path exception
+
+Additional Information:
+
+I've made a snap-in fixup, but the bug is actually in the URI handling code.


More information about the mono-bugs mailing list