Mono XSP ASP.NET Server Source Code Disclosure Vulnerability Risk: Medium CVSS Base Score: 5/10 Exploitability Subscore: 10/10 Impact Subscore: 2.9/10 - Confidentiality Impact: Partial - Integrity Impact: None - Availability Impact: None CWE: CWE-Other CVE: CVE-2006-6104 Local: Yes Remote: Yes Timeline: Nov 29, 2006: Discovered security issue by Jose Ramon Palanco Nov 30, 2006: Reported to Mono Project Dec 1, 2006: Patch in subversion rev 68776 Dec 5, 2006: Mono is testing the patch and building packages for the fix Dec 19, 2006: Published advisory Description: Attackers can use source code disclosure attacks to obtain the source code of server-side applications. This can lead to deeper knowledge of the application's logic, request handling, parameters, database structure, and vulnerabilities in the code, aiding in the preparation of attacks. An attacker can cause source code disclosure by adding (space char) after the URI, for example, . The update also mentions the possibility of retrieving the file, which contains sensitive information like credentials. Original Advisory: http://www.eazel.es/advisory007-mono-xsp-source-disclosure-vulnerability.html