Friday, December 25, 2009

Microsoft IIS 0Day Vulnerability

Microsoft IIS 0Day Vulnerability in Parsing Files (semi‐colon bug)

A vulnerability has been identified in Microsoft Internet Information Services (IIS) where the server in incorrectly handling files with multiple extensions separated by the ";" character such as "malicious.asp;.jpg" as an ASP file. This could allow attackers to upload malicious executables on a vulnerable web server, bypassing file extension protections and restrictions. This vulnerability does not work with ASP.Net.

Pending an IIS security patch, some workaround are available here.


See also: Microsoft IIS vuln leaves users open to remote attack

No comments: