After some reproduction work we found it was an API difference in mono httplistener vs .net http listener that caused us to mangle something.
In particular on a post with no content-length mono throws a disposed exception on accessing context where as .net does not. To reproduce use: curl -v http://server.com/ -X POST Cheers, Greg On Fri, Feb 28, 2014 at 3:48 PM, Sebastien Pouliot < sebastien.poul...@gmail.com> wrote: > Hello Greg, > > Use the contact form found at > http://www.mono-project.com/Vulnerabilities > > Thanks > Sebastien > > > On Fri, Feb 28, 2014 at 8:40 AM, Greg Young <gregoryyou...@gmail.com>wrote: > >> I believe I have what should be a top rated security vulnerability that >> probably should not be discussed on this list as it allows anyone to take >> down a mono back end with a poisoned packet. Who should I talk to about >> this? >> >> Greg >> >> -- >> Le doute n'est pas une condition agréable, mais la certitude est absurde. >> >> _______________________________________________ >> Mono-devel-list mailing list >> Mono-devel-list@lists.ximian.com >> http://lists.ximian.com/mailman/listinfo/mono-devel-list >> >> > -- Le doute n'est pas une condition agréable, mais la certitude est absurde.
_______________________________________________ Mono-devel-list mailing list Mono-devel-list@lists.ximian.com http://lists.ximian.com/mailman/listinfo/mono-devel-list