Vulnerabilities > CVE-2009-4444 - Unspecified vulnerability in Microsoft Internet Information Services 5.0/6.0

047910
CVSS 6.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
microsoft

Summary

Microsoft Internet Information Services (IIS) 5.x and 6.x uses only the portion of a filename before a ; (semicolon) character to determine the file extension, which allows remote attackers to bypass intended extension restrictions of third-party upload applications via a filename with a (1) .asp, (2) .cer, or (3) .asa first extension, followed by a semicolon and a safe extension, as demonstrated by the use of asp.dll to handle a .asp;.jpg file.

Vulnerable Configurations

Part Description Count
Application
Microsoft
2

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/93313/R7-0036.txt
idPACKETSTORM:93313
last seen2016-12-05
published2010-08-30
reporterH D Moore
sourcehttps://packetstormsecurity.com/files/93313/Rapid7-Security-Advisory-36.html
titleRapid7 Security Advisory 36