CVE-2006-6104

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2006-6104

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2006-6104.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2006-6104

Downstream

DEBIAN-CVE-2006-6104

Published

2006-12-21T19:28:00Z

Modified

2025-08-09T20:01:27Z

Summary

[none]

Details

The System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in Mono does not properly verify local pathnames, which allows remote attackers to (1) read source code by appending a space (%20) to a URI, and (2) read credentials via a request for Web.Config%20.

References

http://secunia.com/advisories/23432
http://secunia.com/advisories/23435
http://secunia.com/advisories/23462
http://secunia.com/advisories/23597
http://secunia.com/advisories/23727
http://secunia.com/advisories/23776
http://secunia.com/advisories/23779
http://security.gentoo.org/glsa/glsa-200701-12.xml
http://www.mandriva.com/security/advisories?name=MDKSA-2006:234
http://www.vupen.com/english/advisories/2006/5099
http://www.eazel.es/advisory007-mono-xsp-source-disclosure-vulnerability.html
http://www.securityfocus.com/bid/21687
http://www.ubuntu.com/usn/usn-397-1
http://fedoranews.org/cms/node/2400
http://fedoranews.org/cms/node/2401
http://lists.suse.com/archive/suse-security-announce/2007-Jan/0002.html
http://securityreason.com/securityalert/2082
http://securitytracker.com/id?1017430
http://www.securityfocus.com/archive/1/454962/100/0/threaded
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2092

CVE-2006-6104

Affected packages