[Mono-bugs] [Bug 413534] New: VUL-0: Mono ASP. NET class library has potential XSS problem
bugzilla_noreply at novell.com
bugzilla_noreply at novell.com
Thu Jul 31 05:34:13 EDT 2008
https://bugzilla.novell.com/show_bug.cgi?id=413534
Summary: VUL-0: Mono ASP.NET class library has potential XSS
problem
Product: Mono: Class Libraries
Version: 2.0
Platform: Other
OS/Version: Other
Status: NEW
Keywords: security_vulnerability
Severity: Major
Priority: P5 - None
Component: Sys.Web
AssignedTo: mhabersack at novell.com
ReportedBy: meissner at novell.com
QAContact: mono-bugs at lists.ximian.com
CC: jshort at novell.com, security-team at suse.de,
dean at brettle.com
Found By: Third Party Developer/Partner
We received this report from a mono developer (is cc'ed).
Please clarify.
>>> On 7/27/2008 at 3:36 PM, <genericemail at novell.com> wrote:
> 12-Job Title:
> 13-Company:
> 14-Phone: 301-990-7141
> 22-Additional:
> 19-Country: United States
> 11-Your Name: Dean Brettle
> 17-State: CA
> 16-City: Redwood City
> from: dean at brettle.com
> 21-Issue: Mono's ASP.NET implementation HTML-encodes most
> properties/attributes, but does not encode some. As a result an unsuspecting
> ASP.NET developer can inadvertently create an XSS vulnerability.
>
> The following properties/attributes are not encoded by Mono but are encoded
> by MS' ASP.NET implementation:
>
> 1. HtmlSelect.Value and HtmlSelect.Text
> 2. The "action" attribute of a <form> element.
>
> The lack of encoding for the form "action" attribute is particularly
> dangerous because the default "action" is the URL used visit the page. To
> see why this is a problem, change the hostname and page in the following HTML
> so that they point to a page hosted by Mono and then use IE (not Firefox) to
> view the HTML and follow the link:
> <a
> href="http://hostname/page.aspx?"onmouseover="window.alert('xss');&q
> uot;">link</a>
>
> In addition to the above attributes, the following attributes are not
> encoded by Mono or MS.NET, but should be IMO:
> HtmlInputRadioButton.Value, HtmlImage.Src and HtmlInputImage.Src. I just
> reported these to secure at microsoft.com. I don't know what action they will
> take, but even if they choose not to fix these, I think Mono should sacrifice
> strict compatibility with MS.NET to provide better security in situations
> like this.
>
> I have commit privs for Mono SVN and have a patch for all of the above
> (including unit tests). I can commit to the mono-2-0 branch and trunk, but I
> need clarification on whether to encode the attributes that aren't currently
> encoded by MS.
>
> Also, since this is a security issue I wasn't sure if you needed me to wait
> until you could put out patched packages or something similar.
>
> I posted an earlier (incomplete) version of the patch to the mono-devel list
> before I realized the security implications:
>
> http://lists.ximian.com/pipermail/mono-devel-list/2008-July/028633.html
>
> I can also email you my latest patch if it helps.
>
>
> --Dean
> 20-Product: Mono (at least 1.2, probably all versions)
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
More information about the mono-bugs
mailing list