[Mono-bugs] [Bug 77406][Maj] Changed - Insecure apache
configuration allows for direct download of web service assemblies
bugzilla-daemon at bugzilla.ximian.com
bugzilla-daemon at bugzilla.ximian.com
Mon Jan 30 13:15:02 EST 2006
Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.
Changed by gonzalo at ximian.com.
http://bugzilla.ximian.com/show_bug.cgi?id=77406
--- shadow/77406 2006-01-30 12:24:04.000000000 -0500
+++ shadow/77406.tmp.31888 2006-01-30 13:15:02.000000000 -0500
@@ -1,14 +1,14 @@
Bug#: 77406
Product: Mono: Tools
Version: 1.1
OS: other
OS Details: Debian Unstable
-Status: NEW
-Resolution:
-Severity:
+Status: RESOLVED
+Resolution: FIXED
+Severity: Unknown
Priority: Major
Component: tools
AssignedTo: mono-bugs at ximian.com
ReportedBy: dana at vulscan.com
QAContact: mono-bugs at ximian.com
TargetMilestone: ---
@@ -52,6 +52,21 @@
of any file in the bin dir. Another would be to document this as a security
configuration setting requirement that is needed when using Apache. Either
way, it is exposing Mono's web services to undue information disclosure
risk and should somehow be documented to reflect this.
Feel free to contact me if you need any further information on this.
+
+------- Additional Comments From gonzalo at ximian.com 2006-01-30 13:15 -------
+This was a problem that I fixed in HEAD a few days ago by adding a
+httpHandler to machine.config that forbids access to "*.dll". I have
+backported the same change to the 1.1.13 branch and also added
+"*.Config" to the list of extensions handled by mod_mono (it's also a
+403).
+
+The line added (1.x) was:
+<add verb="*" path="*.dll" type="System.Web.HttpForbiddenHandler,
+System.Web, Version=1.0.5000.0, Culture=neutral,
+PublicKeyToken=b03f5f7f11d50a3a" />
+
+inside <httpHandlers> section in machine.config.
+
More information about the mono-bugs
mailing list