[Mono-dev] Security Issue

[Brandon Perry]

Does this work against xsp running independently from apache or does it require mod_mono? Currently testing against xsp4 2.10.0.0 and they web server does not crash.

Obviously this is relatively old.

Sent from a computer

> On Feb 28, 2014, at 9:22 AM, Greg Young <gregoryyoung1 at gmail.com> wrote:
> 
> After some reproduction work we found it was an API difference in mono httplistener vs .net http listener that caused us to mangle something.
> 
> In particular on a post with no content-length mono throws a disposed exception on accessing context where as .net does not.
> 
> To reproduce use:
> 
> curl -v http://server.com/ -X POST
> 
> Cheers,
> 
> Greg
> 
> 
>> On Fri, Feb 28, 2014 at 3:48 PM, Sebastien Pouliot <sebastien.pouliot at gmail.com> wrote:
>> Hello Greg,
>> 
>> Use the contact form found at
>> http://www.mono-project.com/Vulnerabilities
>> 
>> Thanks
>> Sebastien
>> 
>> 
>>> On Fri, Feb 28, 2014 at 8:40 AM, Greg Young <gregoryyoung1 at gmail.com> wrote:
>>> I believe I have what should be a top rated security vulnerability that probably should not be discussed on this list as it allows anyone to take down a mono back end with a poisoned packet. Who should I talk to about this?
>>> 
>>> Greg
>>> 
>>> -- 
>>> Le doute n'est pas une condition agréable, mais la certitude est absurde.
>>> 
>>> _______________________________________________
>>> Mono-devel-list mailing list
>>> Mono-devel-list at lists.ximian.com
>>> http://lists.ximian.com/mailman/listinfo/mono-devel-list
>>> 
>> 
> 
> 
> 
> -- 
> Le doute n'est pas une condition agréable, mais la certitude est absurde.
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ximian.com/pipermail/mono-devel-list/attachments/20140228/50ff57ec/attachment.html>