IIS 0 day vulnerability in parsing files
December 24, 2009
Ferruh passed this onto me and this looks like a really interesting vulnerability. Essentially if you can upload a file with semicolon(;) in it, you may be able to upload and execute asp code.
IIS can execute any extension as an Active Server Page or any other executable extension. For instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.
Original Advisory can be found here
Comments
5 Comments
lol.This Vulnerability have be reported some months ago by kevin1986 from China.
Original:http://www.80sec.com/microsoft-internet-infomation-server-6-isapi-filename-analytic-vulnerabilitie.html
door.asp;-.gif
door.php;-.gif
I guess the big question is, which apps are vulnerable, the obvious one which comes to my mind is the sharepoint. Is that vulnerable?
The problem with Sharepoint in my experience isn’t that you can’t get malicious code uploaded but that it has some kind of sandbox that prevents arbitrary ASPX files from being executed.
1 Trackback
Trackback
[…] IIS 0 day vulnerability in parsing files – http://www.notsosecure.com By using this vulnerability, an attacker can bypass protection and upload a dangerous executable file on the server. […]