File Extension Bypass Vulnerability in Microsoft Internet Information Services
CVE-2009-4444

Currently unrated

Key Information:

Vendor: Microsoft
Status: Internet Information Services
Vendor: CVE Published:; 29 December 2009

What is CVE-2009-4444?

The vulnerability in Microsoft Internet Information Services (IIS) 5.x and 6.x arises from the improper handling of filename extensions. Specifically, the server evaluates only the portion of the filename preceding a semicolon, which can be exploited by attackers to circumvent file extension restrictions imposed by third-party upload applications. This flaw allows the use of dangerous extensions like .asp, .cer, and .asa with a semicolon followed by a benign extension (e.g., .jpg), potentially leading to unauthorized access to sensitive functionalities enabled by these script types.

References

http://www.securityfocus.com/bid/37460

vdb-entryx_refsource_BID

http://securitytracker.com/id?1023387

vdb-entryx_refsource_SECTRACK

http://blogs.technet.com/msrc/archive/2009/12/27/new-repo...

x_refsource_MISC

EPSS Score

49% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Dec 29, 2009