Here is the advisory. It states: An attacker can cause source code disclosure using adding %20 (space char) after the uri, for example http://www.server.com/app/Default.aspx%20

To test this, I started xsp (in Ubuntu using Parallels):
$ xsp --root ~/xsproot
xsp
Listening on port: 8080 (non-secure)
Listening on address: 0.0.0.0
Root directory: /home/testbox/xsproot
Hit Return to stop the server.

Next, I put the following file in ~/xsproot and called it default.aspx:
<HTML>
<%
//ASP source code below
//Client should not be able to see the code below,
//but just the output, i.e. Hello World!
Response.Output.Write("Hello World!");
%>
</HTML>

I made sure everything is working correctly by requesting default.aspx:

So far, so good.

Next, I requested the same URL, but ending with %20, and Safari displayed a ‘blank’ page:

The reason for this is because Safari got served the entire ASPX file. I was able to view the entire ASPX file by just doing a View -> Source:

There you go, a good old source code disclosure. I say “good old” because IIS (and other servers) have had similar vulnerabilities in the past (BID 1084).

I don’t think its necessary for me to go into how source code disclosure can be a huge risk for any organization. The advisory does a good job of summing this up: Using a source code disclosure attack, an attacker can retrieve the source code of server-side file. Obtaining the source code of server-side files grants the attacker deeper knowledge of the logic behind the Web application, how the application handles requests and their parameters, the structure of the database, vulnerabilities in the code and source code comments. Having the source code, and possibly a duplicate application to test on, helps the attacker to prepare an attack on the application.

Update: is also possible retrieve Web.Config file. This file contains sensitive information like credentials.

If you use mono-xsp, please patch immediately. See the advisory for details.