Vulnerability in the IIS web server would execute arbitrary ASP code, seriously weakening system security. Microsoft has acknowledged the problem, but says that its scope is limited.

Hiding an ASP file with a ";"

According to security firm Secunia, the server would manage properly the name of certain files. File.asp;. Jpg is not blocked by the software limiting the upload files on the server depending on their type, because it would focus on the end of the extension name and would see an image. It is nevertheless possible to run ASP code on the server once the upload is complete.

Microsoft limits the scope of the fault

According to Microsoft, the risk is however limited by the fact that the attacker must have access to the system, be authenticated, write to a file and have the necessary rights to run a program. According to the editor, the problem is limited to directors who have misconfigured clients' rights. The flaw would also present on IIS 6, but not 7.5. It has not yet been tested on IIS 7.