[Mono-bugs] [Bug 413534] New: VUL-0: Mono ASP. NET class library has potential XSS problem

bugzilla_noreply at novell.com bugzilla_noreply at novell.com
Thu Jul 31 05:34:13 EDT 2008 

https://bugzilla.novell.com/show_bug.cgi?id=413534


           Summary: VUL-0: Mono ASP.NET class library has potential XSS
                    problem
           Product: Mono: Class Libraries
           Version: 2.0
          Platform: Other
        OS/Version: Other
            Status: NEW
          Keywords: security_vulnerability
          Severity: Major
          Priority: P5 - None
         Component: Sys.Web
        AssignedTo: mhabersack at novell.com
        ReportedBy: meissner at novell.com
         QAContact: mono-bugs at lists.ximian.com
                CC: jshort at novell.com, security-team at suse.de,
                    dean at brettle.com
          Found By: Third Party Developer/Partner


We received this report from a mono developer (is cc'ed).


Please clarify.


>>> On 7/27/2008 at  3:36 PM, <genericemail at novell.com> wrote: 
> 12-Job Title: 
> 13-Company: 
> 14-Phone: 301-990-7141
> 22-Additional: 
> 19-Country: United States
> 11-Your Name: Dean Brettle
> 17-State: CA
> 16-City: Redwood City
> from: dean at brettle.com
> 21-Issue: Mono's ASP.NET implementation HTML-encodes most 
> properties/attributes, but does not encode some. As a result an unsuspecting 
> ASP.NET developer can inadvertently create an XSS vulnerability.
> 
> The following properties/attributes are not encoded by Mono but are encoded 
> by MS' ASP.NET implementation:
> 
> 1. HtmlSelect.Value and HtmlSelect.Text
> 2. The "action" attribute of a <form> element.
> 
> The lack of encoding for the form "action" attribute is particularly 
> dangerous because the default "action" is the URL used visit the page.  To 
> see why this is a problem, change the hostname and page in the following HTML 
> so that they point to a page hosted by Mono and then use IE (not Firefox) to 
> view the HTML and follow the link:
> <a 
> href="http://hostname/page.aspx?&quot;onmouseover=&quot;window.alert('xss');&q
> uot;">link</a>
> 
> In addition to the above attributes, the following attributes are not 
> encoded by Mono or MS.NET, but should be IMO:
> HtmlInputRadioButton.Value, HtmlImage.Src and HtmlInputImage.Src.  I just 
> reported these  to secure at microsoft.com.  I don't know what action they will 
> take, but even if they choose not to fix these, I think Mono should sacrifice 
> strict compatibility with MS.NET to provide better security in situations 
> like this.
> 
> I have commit privs for Mono SVN and have a patch for all of the above 
> (including unit tests).  I can commit to the mono-2-0 branch and trunk, but I 
> need clarification on whether to encode the attributes that aren't currently 
> encoded by MS.
> 
> Also, since this is a security issue I wasn't sure if you needed me to wait 
> until you could put out patched packages or something similar.
> 
> I posted an earlier (incomplete) version of the patch to the mono-devel list 
> before I realized the security implications:
> 
> http://lists.ximian.com/pipermail/mono-devel-list/2008-July/028633.html
> 
> I can also email you my latest patch if it helps.
> 
> 
> --Dean
> 20-Product: Mono (at least 1.2, probably all versions)


-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the mono-bugs mailing list