Vigil@nce - IIS: execution of uploaded file
October 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker, allowed to create directories and to upload files on
the web site, can execute ASP code.
Severity: 2/4
Creation date: 29/09/2010
DESCRIPTION OF THE VULNERABILITY
A web site can be composed of ASP files, containing code to
execute:
http://server/web-page.asp
The administrator can allow a user to:
– create a directory with the name "mydir.asp", in an executable
directory of the web site
– upload a file with the name "file.jpeg", in the "mydir.asp"
directory
– call the url http://server/upload-directory/mydir.asp/file.jpeg
In this case, as the directory name ends with ".asp", the content
of the ".jpeg" file is interpreted as ASP code.
An attacker, allowed to create directories and to upload files on
the web site, can therefore execute ASP code.
This vulnerability is a variant of VIGILANCE-VUL-9312
(https://vigilance.fr/tree/1/9312).
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/IIS-execution-of-uploaded-file-9987