Vigil@nce: IIS, execution of uploaded files
January 2010 by Vigil@nce
An attacker, allowed to upload files on the web site, can execute
ASP code.
– Severity: 2/4
– Consequences: user access/rights
– Provenance: user account
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 29/12/2009
– Revision date: 30/12/2009
IMPACTED PRODUCTS
– Microsoft IIS
DESCRIPTION OF THE VULNERABILITY
A web site can be composed of ASP files, containing code to
execute:
http://server/web-page.asp
In some cases, the administrator can allow a user to upload a file
(such as a JPEG image) on the web site. However, if the attacker
uploads a file with the name "file.asp;.jpeg", in an executable
directory of the web site, then the ASP code will be executed if
the attacker uses the following url:
http://server/upload-directory/file.asp;.jpeg
Indeed, the file name contains the ".ASP" extension (even if it
ends with ".JPEG"), thus the ISAPI asp.dll extension is called.
This vulnerability impacts following extensions:
– ASP : ASA, CDX, CER, HTR
– HTTP ODBC : IDC
– Server Side Include : SHTM, SHTML, STM
– etc.
An attacker, allowed to upload files on the web site, can
therefore execute ASP (or HTTP ODBC, Server Side Include) code.
CHARACTERISTICS
– Identifiers: BID-37460, CVE-2009-4444, CVE-2009-4445,
VIGILANCE-VUL-9312
– Url: http://vigilance.fr/vulnerability/IIS-execution-of-uploaded-files-9312