A vulnerability has been discovered in Microsoft Internet Information Services (IIS), which can be exploited by malicious people to potentially bypass certain security restrictions and compromise a vulnerable system.

The vulnerability is caused due to the web server incorrectly executing e.g. ASP code included in a file having multiple extensions separated by ";" (e.g. "file.asp;.jpg") or in a file with an arbitrary extension located in a directory ending with ".asp". This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types.

The vulnerability is confirmed on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected.

Solution
Restrict file uploads to trusted users only and remove "execute" permissions for upload directories.

Provided and/or discovered by
* Soroush Dalili
* Additional information regarding directories ending with ".asp" provided by Juan Galiana.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Soroush Dalili:
http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf

Microsoft:
http://blogs.technet.com/msrc/archive/2009/12/27/new-reports-of-a-vulnerability-in-iis.aspx
http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx
http://blogs.iis.net/nazim/archive/2009/12/29/public-disclosure-of-iis-security-issue-with-semi-colons-in-url.aspx

Juan Galiana:
http://blog.48bits.com/2010/09/28/iis6-asp-file-upload-for-fun-and-profit/

Technical Analysis
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers