Security flaw in Microsoft IIS
Soroush Dalili has discovered that various versions of Microsoft's Internet Information Services (IIS) contain a security flaw that can be exploited to inject and execute malicious code on Windows web servers. Dalili writes that the problem occurs during the parsing of filenames with a semicolon extension in IIS. When ";.jpg" is added to an .asp file, for instance, systems that merely analyze the executability of code based on the ultimate file ending can be duped; a file entitled "malicious.asp;.jpg" would then be executed as an .asp file.
Dalilis says that IIS versions 6 and previous are affected. Security service provider Secunia has since confirmed that the flaw affects Windows Server 2003 R2 SP2 with IIS 6. But unlike Dalili, who categorizes the flaw as highly critical, Secunia merely calls it "less critical", the second lowest level in Secunia's vulnerability hierarchy. Nonetheless, the Internet Storm Center fears that the flaw could soon be exploited on a grand scale to penetrate networks. Until there is a patch, webmasters should simply rule out the execution of code in upload directories.