Pardus: 2010-79: Mono: Cross Site Scripting

Posted by Benjamin D. Thomas

A default configuration of ASP.NET in Mono which allows Cross Site Scripting (XSS) attacks have been fixed.

------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-79            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-06-15
  Severity: 3
      Type: Local
------------------------------------------------------------------------

Summary
======
A default configuration of ASP.NET in  Mono  which  allows  Cross  Site
Scripting (XSS) attacks have been fixed.


Description
==========
CVE-2010-1459:

The default configuration of ASP.NET in Mono before 2.6.4 has a value of
FALSE for the EnableViewStateMac property, which allows remote attackers
to conduct cross-site scripting (XSS) attacks, as demonstrated  by  the
__VIEWSTATE parameter to 2.0/menu/menu1.aspx in the XSP sample project.


Affected packages:

  Pardus 2009:
    mono-web, all before 2.6.4-31-3
    mono-runtime, all before 2.6.4-31-3

    mono-jscript, all before 2.6.4-31-3



Resolution
=========
There are update(s) for mono-web, mono-runtime, mono-jscript.  You  can
update them via Package Manager or with a single command from console:

    pisi up mono-web mono-runtime mono-jscript

References
=========
  * http://bugs.pardus.org.tr/show_bug.cgi?id263

------------------------------------------------------------------------