A vulnerability has been identified in Microsoft Internet Information Services (IIS) where the server in incorrectly handling files with multiple extensions separated by the ";" character such as "malicious.asp;.jpg" as an ASP file. This could allow attackers to upload malicious executables on a vulnerable web server, bypassing file extension protections and restrictions. This vulnerability does not work with ASP.Net. Pending an IIS security patch, some workaround are available here. ----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org |
Guy 495 Posts ISC Handler Dec 24th 2009 |
Thread locked Subscribe |
Dec 24th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!