[Mono-dev] Security Issue

Greg Young gregoryyoung1 at gmail.com
Fri Feb 28 15:22:11 UTC 2014


After some reproduction work we found it was an API difference in mono
httplistener vs .net http listener that caused us to mangle something.

In particular on a post with no content-length mono throws a disposed
exception on accessing context where as .net does not.

To reproduce use:

curl -v http://server.com/ -X POST

Cheers,

Greg


On Fri, Feb 28, 2014 at 3:48 PM, Sebastien Pouliot <
sebastien.pouliot at gmail.com> wrote:

> Hello Greg,
>
> Use the contact form found at
> http://www.mono-project.com/Vulnerabilities
>
> Thanks
> Sebastien
>
>
> On Fri, Feb 28, 2014 at 8:40 AM, Greg Young <gregoryyoung1 at gmail.com>wrote:
>
>> I believe I have what should be a top rated security vulnerability that
>> probably should not be discussed on this list as it allows anyone to take
>> down a mono back end with a poisoned packet. Who should I talk to about
>> this?
>>
>> Greg
>>
>> --
>> Le doute n'est pas une condition agréable, mais la certitude est absurde.
>>
>> _______________________________________________
>> Mono-devel-list mailing list
>> Mono-devel-list at lists.ximian.com
>> http://lists.ximian.com/mailman/listinfo/mono-devel-list
>>
>>
>


-- 
Le doute n'est pas une condition agréable, mais la certitude est absurde.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ximian.com/pipermail/mono-devel-list/attachments/20140228/d8c3c973/attachment.html>


More information about the Mono-devel-list mailing list