YNOT – A punctuation mark could mean disaster for the thousands of web and intranet servers running Microsoft’s Internet Information Services, a researcher warned on Christmas Day.Cyber-security expert Soroush Dalili said semicolons are far from benign in their interactions with IIS. A vagary in the way all versions of the software parse the “;” character could allow hackers to bypass malware filters and upload malicious code simply by appending a file extension containing the punctuation mark.
“Impact of this vulnerability is absolutely high, as an attacker can bypass file extension protections by using a semicolon after an executable extension such as ‘.asp,’ ‘.cer,’ ‘.asa’ and so on,” Dalili wrote in a report dated Dec. 25. “Many web applications are vulnerable against file uploading attacks because of this weakness of IIS.”
Dalili laid out a potential scenario in an email to Britain’s The Register.
“Assume a website which only accepts JPG files as the users’ avatars,” he wrote. “And the users can upload their avatars on the server. Now an attacker tries to upload ‘Avatar.asp;.jpg’ on the server. Web application considers this file as a JPG file. So, this file has the permission to be uploaded on the server. But when the attacker opens the uploaded file, IIS considers this file as an ASP file and tries to execute it by ‘asp.dll.’
“[T]he attacker can upload a web-shell on the server by using this method. Most of the uploaders only control the last part of the files as their extensions, and by using this method, their protection will be bypassed.”
A Microsoft spokeswoman told The Register Microsoft is not aware of any semicolon attacks, but the company is investigating the reported vulnerability.
Dalili recommended webmasters who want to work around the bug ensure none of their upload directories bear execute permissions. In addition, “web developers should ensure their applications never accept the user’s input as a file name,” The Register’s Dan Goodin advised.
