Unrated severityNVD Advisory· Published Dec 21, 2006· Updated Apr 23, 2026

CVE-2006-6104

Description

The System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in Mono does not properly verify local pathnames, which allows remote attackers to (1) read source code by appending a space (%20) to a URI, and (2) read credentials via a request for Web.Config%20.

Affected products

Mono/Xsp3 versions
cpe:2.3:a:mono:xsp:1.1:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:mono:xsp:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mono:xsp:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mono:xsp:2.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

secunia.com/advisories/23435nvdPatchVendor Advisory
secunia.com/advisories/23462nvdPatchVendor Advisory
www.mandriva.com/security/advisoriesnvdPatchVendor Advisory
www.ubuntu.com/usn/usn-397-1nvdPatch
secunia.com/advisories/23432nvdExploitPatchVendor Advisory
www.eazel.es/advisory007-mono-xsp-source-disclosure-vulnerability.htmlnvdExploit
www.securityfocus.com/bid/21687nvdExploitPatch
fedoranews.org/cms/node/2400nvd
fedoranews.org/cms/node/2401nvd
lists.suse.com/archive/suse-security-announce/2007-Jan/0002.htmlnvd
secunia.com/advisories/23597nvd
secunia.com/advisories/23727nvd
secunia.com/advisories/23776nvd
secunia.com/advisories/23779nvd
security.gentoo.org/glsa/glsa-200701-12.xmlnvd
securityreason.com/securityalert/2082nvd
securitytracker.com/idnvd
www.securityfocus.com/archive/1/454962/100/0/threadednvd
www.vupen.com/english/advisories/2006/5099nvd
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2092nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.012
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000