Forum Moderators: open
...
There appears to be some disagreement over the severity of the bug, which Dalili said affects all versions of IIS. While he rated it "highly critical," vulnerability tracker Secunia classified it as "less critical," which is only the second notch on its five-tier severity rating scale.
...
Source: the Register [theregister.co.uk]
Meaning that it is possible to upload an executable file such as malware.asp;.jpg
When uploading, most code will only check for the last extension (.jpg in this case) and allow the upload. When requesting this file, IIS executes it as an .asp file, ignoring the extension after the semicolon.
Easy to protect yourself though, when checking the extension of an uploaded file, make sure to also check for a semicolon in the filename.
This type of attack success depends how the files are saved and where they are saved and how they served back to the user.
The easiest way is to save the user uploaded content in a non-web accessible folder. And use a Asp page or Asp.Net handler to stream that file out to the user. This would stop the attack in its tracks. Since there is no way for IIS to process the file as a scripted page.
The easiest way is to save the user uploaded content in a non-web accessible folder. And use a Asp page or Asp.Net handler to stream that file out to the user.
I have tested this in IIS6, 7 and 7.5 and can only reproduce it with IIS6. IIS7 and 7.5 just output the contents of the file.
And it seems that a .Net file is not affected (eg. '.aspx;.jpg') I tried with and without a code behind file.
Steps I took:
- Created two new files, test.asp and test.aspx (in this test without code behind)
- test.asp has the code <% Response.Write("Hello World") %>
- test.aspx also has a Response.Write in the Page Load event
- Tested both files to make sure they are working.
- changed the extension of both files by prepending ;.jpg
- requested both files in the browser with the new file name.
Results:
- IIS6 parsed the test.asp;.jpg file as if it was a standard .asp file, outputting 'Hello world'. The test.aspx;.jpg resulted in an error
- IIS7 and 7.5 returned the full contents (source code) of both the test.asp;.jpg and test.aspx;.jpg files.
According to the report, this affected 'the most recent version'* of IIS, maybe I'm missing a step here. Can anyone else reproduce this problem in IIS7 or 7.5? (or with an .aspx file?)
* Although later in the article it states '...it did confirm the bug on a machine running a fully patched version of Windows Server 2003 R2 SP2 with Microsoft IIS version 6...', which is definitely not the latest version of IIS
Think this maybe a personal script issues.
