I didn't submit this to the bug tracker because I believe that I'm missing a configuration or setup on the folder security that fixes this problem.

One of my customers has had his dnn site (with over 200,000 registered users) defaced SEVERAL TIMES in the last 2 weeks. I was able to easily replicate the security issues and upload asp files to any of the dnn websites I have running for other customers, including dnn 5.x. This is ONLY IF they are installed on IIS6.

It seems to be a problem of IIS6, and if you add another problem with FCK gallery, then you are able to upload and execute any asp file.

Here's the information of the IIS6 vulnerability: http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf
Here's the information of the FCK Gallery vulnerability: http://securityreason.com/exploitalert/6234

Here's how you can duplicate the vulnerability on any of your dnn websites running on IIS6:

- Navigate to your dnn installation here: /Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx
- If it doesn't let you upload a document, then register as a normal user and go back to the same url. You should see the option to upload a file now.
- Rename any asp file on your computer to something like this:  yourfilename.asp;123456.jpg
- Upload the file to a folder. The asp file will be accepted like if it was a jpg.
- Go to the url and run the asp file  (like /Portals/0/yourfilename.asp;123456.jpg    It will run the asp.

There must be a way to fix this configuring the security of the folders in Windows, but I haven't been able to figure it out.

Does anybody know how to fix it?