CVE-2006-6104 : The System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in Mono does

The System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in Mono does not properly verify local pathnames, which allows remote attackers to (1) read source code by appending a space (%20) to a URI, and (2) read credentials via a request for Web.Config%20.

Published 2006-12-21 19:28:00

Updated 2025-04-09 00:30:58

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2006-6104

Mono » XSP » Version: 1.2.1
cpe:2.3:a:mono:xsp:1.2.1:*:*:*:*:*:*:*
Matching versions
Mono » XSP » Version: 2.0
cpe:2.3:a:mono:xsp:2.0:*:*:*:*:*:*:*
Matching versions
Mono » XSP » Version: 1.1
cpe:2.3:a:mono:xsp:1.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2006-6104

EPSS FAQ

14.76%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 94 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2006-6104

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

References for CVE-2006-6104

http://fedoranews.org/cms/node/2401

404 Not Found

CVEs referencing this url
http://secunia.com/advisories/23776

About Secunia Research | Flexera

CVEs referencing this url
http://www.eazel.es/advisory007-mono-xsp-source-disclosure-vulnerability.html

eazel.es | Registrado en DonDominio
Exploit
http://secunia.com/advisories/23779

About Secunia Research | Flexera
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2092

404 Not Found
http://www.securityfocus.com/archive/1/454962/100/0/threaded
http://secunia.com/advisories/23432

About Secunia Research | Flexera
Exploit;Patch;Vendor Advisory
http://secunia.com/advisories/23435

About Secunia Research | Flexera
Patch;Vendor Advisory
http://security.gentoo.org/glsa/glsa-200701-12.xml

Mono: Information disclosure (GLSA 200701-12) — Gentoo security
http://lists.suse.com/archive/suse-security-announce/2007-Jan/0002.html

Object not found!
http://www.ubuntu.com/usn/usn-397-1

USN-397-1: mono vulnerability | Ubuntu security notices | Ubuntu
Patch
http://secunia.com/advisories/23462

About Secunia Research | Flexera
Patch;Vendor Advisory
http://securitytracker.com/id?1017430

Access Denied
http://fedoranews.org/cms/node/2400

404 Not Found
http://www.mandriva.com/security/advisories?name=MDKSA-2006:234

Mandriva
Patch;Vendor Advisory
http://secunia.com/advisories/23597

About Secunia Research | Flexera
http://securityreason.com/securityalert/2082

Mono XSP ASP.NET Server sourcecode disclosure vulnerability - CXSecurity.com
http://www.securityfocus.com/bid/21687

Exploit;Patch
http://www.vupen.com/english/advisories/2006/5099

Site en construction
http://secunia.com/advisories/23727

About Secunia Research | Flexera

Jump to

Vulnerability Details : CVE-2006-6104

Products affected by CVE-2006-6104

Exploit prediction scoring system (EPSS) score for CVE-2006-6104

CVSS scores for CVE-2006-6104

References for CVE-2006-6104