Microsoft IIS ASP Extensions Security Bypass 0-day

This is a late post as I have been incredibly busy over the last two months (you can tell by the blog neglect :).

A vulnerability has been identified in Microsoft Internet Information Services (IIS) where the IIS server fails to properly handle files that have multiple extensions separated by a semi-colon ";" (filename.asp;.jpg). This could be used by an attacker to abuse poor file upload implementations. This vulnerability does not work with ASP.Net.

The Microsoft Security Response Center (MSRC) has made a blog post about the vulnerability.