Another critical vulnerability have been found in the Microsoft IIS web service which allows malicious users to upload malicious files by appending innocent filename extensions like “jpg” to malicious files. The problem arises from by the way Microsoft IIS parses file names with colons or semicolons in them which can allow attackers to bypass filters and potentially trick server into running a malware.
Soroush Dalili,the security researcher who found the flaw commented “ Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semicolon after an executable extension such as '.asp,' '.cer,' '.asa' and so on," he continued "Many web applications are vulnerable against file uploading attacks because of this weakness of IIS."
A Microsoft spokeswoman said company researchers are investigating the report. They are not aware of attacks targeting the reported vulnerability, she said.
Via The Registrar
POSTED BY XERO. ALL RIGHTS RESERVED.