IIS service vulnerability leaves users to attack

Another critical vulnerability have been found in the Microsoft IIS web service which allows malicious users to upload IIS service vulnerability leaves users to attackmalicious files by appending innocent filename extensions like “jpg” to malicious files. The problem arises from by the way Microsoft IIS parses file names with colons or semicolons in them which can allow attackers to bypass filters and potentially trick server into running a malware.

Soroush Dalili,the security researcher who found the flaw commented “ Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semicolon after an executable extension such as '.asp,' '.cer,' '.asa' and so on," he continued "Many web applications are vulnerable against file uploading attacks because of this weakness of IIS."

Secunia,a Danish computer security service provider,confirmed the bug on a machine running a fully patched version of Windows 2003 R2 SP2 with Microsoft IIS version 6.

A Microsoft spokeswoman said company researchers are investigating the report. They are not aware of attacks targeting the reported vulnerability, she said.


Via The Registrar




Need to say something ? Spell it out :)