Mono ASP.NET 'mod_mono' Source Code Information Disclosure Vulnerability

http://www.securityfocus.com/bid/45711

Security Info

Bugtraq ID:	45711
Class:	Unknown
CVE:	CVE-2010-4225
Remote:	Yes
Local:	No
Published:	Jan 07 2011 12:00AM
Updated:	Jun 22 2012 12:20AM
Credit:	The vendor reported this issue.
Vulnerable:	Mono Mono 2.8.1 Mono Mono 2.6.4 Mono Mono 2.4.2 .1 Mono Mono 2.4.2 Mono Mono 2.0 Mono Mono 1.2.5 2 Mono Mono 1.2.5 1 Mono Mono 1.1.18 Mono Mono 1.1.17 Mono Mono 1.1.13 Mono Mono 1.1.4 Mono Mono 1.0.5 Mono Mono 1.0 Mono Mono 2.8 Mono Mono 2.8 Mono Mono 2.4.3-2 Mono Mono 1.1.8.3 Mono Mono 1.1.17.1 Mono Mono 1.1.13.7 Mono Mono 1.1.13.6 Mono Mono 1.1.13.4 Gentoo Linux

Not Vulnerable:	Mono Mono 2.8.2

Security Discussion

Mono ASP.NET is prone to an information-disclosure vulnerability in the ASP.NET implementation.

Successful exploits will allow attackers to gain access to the source code of '.aspx' files and other file types present in the web application directory. Any information obtained may aid in further attacks.

Mono ASP.NET versions prior to 2.8.2 are vulnerable.

Proof of Concept and Security Exploits

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

Security Solution(s)

Solution:
Vendor updates are available. Please see the references for more information.

Security References(s)

References:

Product Homepage (mono)
XSP/mod_mono source code disclosure (mono)

Emagined Security Blog featuring Dr. Eugene Schultz

Secure Web Programming
by Vizual Services