LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Pardus alert 2010-79 (mono-web mono-runtime mono-jscript)



From:
    	      Eren Turkay <eren@pardus.org.tr> 


To:
    	      pardus-security@pardus.org.tr 


Subject:
    	      [Pardus-security] [PLSA 2010-79] Mono: Cross Site Scripting 


Date:
    	      Tue, 15 Jun 2010 12:39:35 +0300 (EEST)


Message-ID:
    	      <20100615093935.AA807A7AC79@lider.pardus.org.tr>


Archive-link:
    	      Article, Thread
              


------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-79            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-06-15
  Severity: 3
      Type: Local
------------------------------------------------------------------------

Summary
=======

A default configuration of ASP.NET in  Mono  which  allows  Cross  Site 
Scripting (XSS) attacks have been fixed. 


Description
===========

CVE-2010-1459: 

The default configuration of ASP.NET in Mono before 2.6.4 has a value of
FALSE for the EnableViewStateMac property, which allows remote attackers
to conduct cross-site scripting (XSS) attacks, as demonstrated  by  the 
__VIEWSTATE parameter to 2.0/menu/menu1.aspx in the XSP sample project. 


Affected packages:

  Pardus 2009:
    mono-web, all before 2.6.4-31-3
    mono-runtime, all before 2.6.4-31-3

    mono-jscript, all before 2.6.4-31-3



Resolution
==========

There are update(s) for mono-web, mono-runtime, mono-jscript.  You  can 
update them via Package Manager or with a single command from console: 

    pisi up mono-web mono-runtime mono-jscript

References
==========

  * http://bugs.pardus.org.tr/show_bug.cgi?id=13263

------------------------------------------------------------------------

_______________________________________________
Pardus-security mailing list
Pardus-security@pardus.org.tr
http://liste.pardus.org.tr/mailman/listinfo/pardus-security
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds