March 21, 2010
Hot Topics:

Semicolon Bug Reveals IIS Vulnerability

Among the Christmas presents under the tree last week was an IIS vulnerability discovered by Soroush Dalili and posted to his web site, Soroush.SecProject.com.

According to the blog, IIS can execute any extension as an Active Server Page or any other executable extension. The vulnerability is considered highly critical for Web applications. It is present in versions 6 and prior but not tested yet in IIS 7. It is not an issue for IIS 7.5.

The vulnerability enables an attacker to bypass file extension protections using a semi-colon after an executable extension. This leaves many web applications vulnerable against file uploading attacks. In a survey performed in summer 2008 on some of the well known web applications (which Dalili does not cite) 70 percent of the secure file uploaders were bypassed via this vulnerability.

To fix it, Dalili recommends Web developers use a completely random string as a filename and set its extension by the web application itself (e.g., using a "switch-case or select-case") and never accept the user's input as the filename. He also recommends developers accept only alpha-numerical strings as the filename and its extension. For Webmasters, Dalili said to remove the "execute" permission from the upload directories (folders).

The complete report can be found, here.

Related Articles

Follow ServerWatch on Twitter

1



Networking Solutions





Partners

  • Partner With Us














More on ServerWatch


The Network for Technology Professionals

Search:

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers

Solutions

Whitepapers and eBooks

Article: Adobe Helps PHP Developers Create Rich Internet Applications
Case Study: Microsoft IT Strengthens Security with Data Loss Prevention Solution
Article: Reduce Your Infrastructure Costs with Microsoft System Center
Intel Brief: Five-Star IT Support--Intel Core 2 processor with vPro Delivers ROI of 524 Percent
Article: Security Enhancements Abound in Windows Server 2008
Article: Enterprise Social Computing with Microsoft SharePoint 2010
Intel Whitepaper: Implementing Intel vPro Technology to Drive Down Client Management Costs
 Microsoft Whitepaper: Improve Communications and Collaboration
Intel Article: Intel Core i5 vPro Brings Intelligence to the Processor
Microsoft Personalized Whitepapers and Resources for You
Microsoft Articles: Visual Studio 2010
Adobe Article: Java Developers Finding a Home at Adobe Flex
Microsoft Whitepaper: Make Better Decisions - SQL Server 2008 Business Intelligence.
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Video: How System Center Helps Reduce IT Costs
IBM Cloud Computing for Developers Virtual Event, April 6-8
Microsoft Video: OCS and Exchange: Platform Futures
MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

HP PartnerONE | SolutionsINFINITE Visit us at hp.com/partners/us
Iron Speed Designer Application Generator
 MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Learn Unified Communications
Learn SQL Server 2008
Learn Windows Server 2008 R2
Internet.com Hot List: Get the Inside Scoop on IT and Developer Products
Learn Forefront
 Learn System Center
All About Botnets
Learn SharePoint
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES