Public disclosure of IIS security issue with semi-colons in URL
IIS has been alerted to the claim of a new security issue in IIS 6 and I wanted to explain the issue and our position on it.
The issue in question affects only IIS 6 (Windows Server 2003) and arises when you send a URL with a semi-colon in it. IIS 6 uses the path before the semi-colon to determine the script handler for it. So sending a URL like http://www.fabrikam.com/uploads/foo.asp;bar.jpg results in mapping this request to the ASP script handler since it ignores everything after the semi-colon. In the case where this URL is given Execute Permissions, we will end up executing the ASP script inside a file "foo.asp;bar.jpg".
Here are the facts concerning this issue:
- You MUST have write permissions to upload your content. The issue being discussed here does not let you bypass that requirement. So if you don't allow uploads, read no further, you are not exposed to the issue.
- If you allow uploads of files then IIS best practices require you NOT to give script permissions to an upload folder (see bullet point 7 in the link). In the case that you follow best practices and not grant script permissions to an upload folder, there is no room for any script being executed. Requesting a URL like http://www.fabrikam.com/uploads/foo.asp;bar.jpg on a properly configured server will result in a 403 error. Hence there is no security issue on a properly configured server either.
- If your server uses an non-recommended configuration and allows uploads and script execution privileges together, then only those authorized to actually upload content will be able to place said content. And in this case the existence of this issue is of no major import in letting you execute your script ... since that is exactly what you have configured your server for.
In summary, there is a functionality issue here, but there is no security issue unless you already had a poorly configured server to begin with.