First of all, Microsoft is one of the best companies which leads us to the better world. But, nothing is free of fault except God!
I’m writing this post as a response to the Microsoft security response in: “http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx”.
They said that “We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.”. Therefore, I realized that this is not a Microsoft IIS hole. So, it should be a feature of IIS 6.0! In my opinion it’s a good feature for the attackers to bypass the web uploaders protection. Now my question is: why have they removed this feature from IIS version 7 and 7.5 then? And why are the others so concerned about this feature and some people added it to their exploits collection?
I think it’s not even a critical bug for IIS, but it is highly critical for most of the web applications.
Besides, Microsoft is so wrong about the default configurations since they said “customers who are using IIS 6.0 in the default don’t need to worry about this issue”. I think they should look at the shared servers default configurations as well as the dedicated ones.
Finally, I think Microsoft should fix this feature as soon as possible to eliminate its risks! And, it is up to the web security researchers and the web penetration testers to decide about the impact of this vulnerability on the web applications.
PS:
You can also look at these links:
– http://www.darknet.org.uk/2009/12/microsoft-iis-semicolon-bug-leaves-servers-vulnerable/
– http://www.esecurityplanet.com/trends/article.php/3855936/article.htm