Among the Christmas presents under the tree last week was an IIS vulnerability discovered by Soroush Dalili and posted to his web site, Soroush.SecProject.com.
According to the blog, IIS can execute any extension as an Active Server Page or any other executable extension. The vulnerability is considered highly critical for Web applications. It is present in versions 6 and prior but not tested yet in IIS 7. It is not an issue for IIS 7.5.
The vulnerability enables an attacker to bypass file extension protections using a semi-colon after an executable extension. This leaves many web applications vulnerable against file uploading attacks. In a survey performed in summer 2008 on some of the well known web applications (which Dalili does not cite) 70 percent of the secure file uploaders were bypassed via this vulnerability.
To fix it, Dalili recommends Web developers use a completely random string as a filename and set its extension by the web application itself (e.g., using a "switch-case or select-case") and never accept the user's input as the filename. He also recommends developers accept only alpha-numerical strings as the filename and its extension. For Webmasters, Dalili said to remove the "execute" permission from the upload directories (folders).The complete report can be found, here.