File Extension Bypass Vulnerability in Microsoft Internet Information Services
CVE-2009-4444

Currently unrated

Key Information:

Vendor: Microsoft
Status: Internet Information Services
Vendor: CVE Published:; 29 December 2009

Summary

The vulnerability in Microsoft Internet Information Services (IIS) 5.x and 6.x arises from the improper handling of filename extensions. Specifically, the server evaluates only the portion of the filename preceding a semicolon, which can be exploited by attackers to circumvent file extension restrictions imposed by third-party upload applications. This flaw allows the use of dangerous extensions like .asp, .cer, and .asa with a semicolon followed by a benign extension (e.g., .jpg), potentially leading to unauthorized access to sensitive functionalities enabled by these script types.

References

http://www.securityfocus.com/bid/37460

vdb-entryx_refsource_BID

http://securitytracker.com/id?1023387

vdb-entryx_refsource_SECTRACK

http://blogs.technet.com/msrc/archive/2009/12/27/new-repo...

x_refsource_MISC

EPSS Score

58% chance of being exploited in the next 30 days.

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Dec 29, 2009