[Mono-bugs] [Bug 77406][Maj] Changed - Insecure apache configuration allows for direct download of web service assemblies

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Mon Jan 30 13:15:02 EST 2006


Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by gonzalo at ximian.com.

http://bugzilla.ximian.com/show_bug.cgi?id=77406

--- shadow/77406	2006-01-30 12:24:04.000000000 -0500
+++ shadow/77406.tmp.31888	2006-01-30 13:15:02.000000000 -0500
@@ -1,14 +1,14 @@
 Bug#: 77406
 Product: Mono: Tools
 Version: 1.1
 OS: other
 OS Details: Debian Unstable
-Status: NEW   
-Resolution: 
-Severity: 
+Status: RESOLVED   
+Resolution: FIXED
+Severity: Unknown
 Priority: Major
 Component: tools
 AssignedTo: mono-bugs at ximian.com                            
 ReportedBy: dana at vulscan.com               
 QAContact: mono-bugs at ximian.com
 TargetMilestone: ---
@@ -52,6 +52,21 @@
 of any file in the bin dir. Another would be to document this as a security
 configuration setting requirement that is needed when using Apache. Either
 way, it is exposing Mono's web services to undue information disclosure
 risk and should somehow be documented to reflect this.
 
 Feel free to contact me if you need any further information on this.
+
+------- Additional Comments From gonzalo at ximian.com  2006-01-30 13:15 -------
+This was a problem that I fixed in HEAD a few days ago by adding a
+httpHandler to machine.config that forbids access to "*.dll". I have
+backported the same change to the 1.1.13 branch and also added
+"*.Config" to the list of extensions handled by mod_mono (it's also a
+403).
+
+The line added (1.x) was:
+<add verb="*" path="*.dll" type="System.Web.HttpForbiddenHandler,
+System.Web, Version=1.0.5000.0, Culture=neutral,
+PublicKeyToken=b03f5f7f11d50a3a" />
+
+inside <httpHandlers> section in machine.config.
+


More information about the mono-bugs mailing list