I found a vulnerability in Microsoft IIS when I was searching about a method to execute an ASP file when we can only upload a JPG file.
The result was too simple, but interesting! I need only a semicolon between the “.asp” and the “.jpg” to execute an ASP file. So, the answer was “myfilename.asp;,jpg”. I have written some information about this vulnerability in:
I’ll try to update this PDF file if there was a need to add or change some information.
Description of this vulnerability from Secunia.com is:
Soroush Dalili has discovered a vulnerability in Microsoft Internet Information Services (IIS), which can be exploited by malicious people to potentially bypass certain security restrictions and compromise a vulnerable system.
The vulnerability is caused due to the web server incorrectly executing e.g. ASP code included in a file having multiple extensions separated by “;”, only one internal extension being equal to “.asp” (e.g. “file.asp;.jpg”). This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types.
The vulnerability is confirmed on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected.
There are also several websites which wrote about this weakness:
1. Secunia Advisory: Microsoft IIS ASP Multiple Extensions Security Bypass
2. Securityfocus: Microsoft IIS Malformed Local Filename Security Bypass Vulnerability
3. The Register: Microsoft IIS vuln leaves users open to remote attack
4. VUPEN Security: Microsoft IIS File Extension Processing Security Bypass Vulnerability
5. Securitytracker: Microsoft Internet Information Services (IIS) Filename Extension Parsing Flaw May Let Users Bypass Security Controls