full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] [PLSA 2008-32] Mono: Cross

[Full-disclosure] [PLSA 2008-32] Mono: Cross Site Scripting

From: Pınar Yanardağ <pinar_at_nospam>
Date: Sun Aug 31 2008 - 00:56:34 GMT
To: pardus-security@pardus.org.tr



Pardus Linux Security Advisory 2008-32 security@pardus.org.tr
Date: 2008-08-31 Severity: 2 Type: Remote
------------------------------------------------------------------------

Summary


Juraj Skripsky has reported a vulnerability in Mono, which can be exploited by malicious people to conduct HTTP header injection attacks.

Description


The vulnerability is caused due to the Sys.Web module not properly sanitising certain parameters before using them in HTTP responses. This can be exploited to inject arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site.

Affected packages:

   Pardus 2008:
     mono, all before 1.2.6-17-2

Resolution


There are update(s) for mono. You can update them via Package Manager or with a single command from console:

     pisi up mono

References


-- Pınar Yanardağ Pardus Security Team http://security.pardus.org.tr _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/