Common Vulnerabilities and Exposures assigned an identifier CVE-2010-1459 to the following vulnerability: The default configuration of ASP.NET in Mono before 2.6.4 has a value of FALSE for the EnableViewStateMac property, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by the __VIEWSTATE parameter to 2.0/menu/menu1.aspx in the XSP sample project. Upstream patch: [1] http://anonsvn.mono-project.com/viewvc?view=revision&revision=154493 References: [2] http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2010/04/29/asp-net-cross-site-scripting-followup-mono.aspx [3] http://www.mono-project.com/Vulnerabilities#ASP.NET_View_State_Cross-Site_Scripting [4] http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html [5] http://www.securityfocus.com/bid/40351
Created attachment 418328 [details] Upstream patch against v1.9.1
This issue affects the versions of the mono package, as shipped with Fedora release of 11, 12 and 13. This issue affects the version of the mono package, as present in EPEL-5 repository. Please fix.
gnome-sharp-2.24.1-1.fc13,gtksourceview-sharp-2.0.12-11.fc13,mono-tools-2.6.2-1.fc13,mod_mono-2.6.3-1.fc13,xsp-2.6.4-1.fc13,mono-2.6.4-1.fc13,mono-basic-2.6.2-1.fc13,libgdiplus-2.6.4-1.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/gnome-sharp-2.24.1-1.fc13,gtksourceview-sharp-2.0.12-11.fc13,mono-tools-2.6.2-1.fc13,mod_mono-2.6.3-1.fc13,xsp-2.6.4-1.fc13,mono-2.6.4-1.fc13,mono-basic-2.6.2-1.fc13,libgdiplus-2.6.4-1.fc13
mono-2.4.3.1-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/mono-2.4.3.1-2.fc12
gnome-sharp-2.24.1-1.fc13, gtksourceview-sharp-2.0.12-11.fc13, mono-tools-2.6.2-1.fc13, mod_mono-2.6.3-1.fc13, xsp-2.6.4-1.fc13, mono-2.6.4-1.fc13, mono-basic-2.6.2-1.fc13, libgdiplus-2.6.4-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
mono-2.4.3.1-2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
The issue is now fixed in F12 and F13 and it was never present in RAWHIDE.