Microsoft Internet Information Services (IIS) Filename Extension Parsing Vulnerability

(Microsoft Security Response Center, SecurityTracker Alert ID: 1023387)

A filename parsing vulnerability has been reported in Microsoft Internet Information Services (IIS) web server. A remote attacker can exploit this vulnerability to execute arbitrary code on an affected system.

The vulnerability is due to IIS incorrectly parsing filenames that contain a semicolon when determining the MIME type based on the filename extension. An attacker may exploit this issue by crafting an HTTP POST request that will bypass the web application's filename extension security filters. Successful exploitation of this vulnerability would allow the attacker to upload an executable file with a non-executable extension on to the vulnerable server.

Check Point provides immediate protection against exploits that use this vulnerability through its integrated IPS offerings. Check Point SmartDefense and Check Point IPS Software Blade detect and block HTTP requests attempting to exploit this vulnerability. For more information, see CPAI-2009-331.