A security vulnerability in IIS was found announced over the Christmas Holiday. If you are using IIS 6, and a file is uploaded with a semicolon in the file name, the uploader can upload a malious asp to the server. For example if the file name is foo.asp;.jpg the file upload module in DNN will allow it, and when the user calls the file, it is passed to the asp script engine.  Details can be found here: blogs.technet.com/msrc/archive/2009/1... and here blogs.iis.net/nazim/archive/2009/12/2...

A quick check on my dev box with a 4.8x version of DNN reveals that yes this can happen. I uploaed a HelloWorld.asp;.jpg file to the site via the file uploader, and called the URL directly and yes it ran the script thru the asp script engine.

A QUICK fix for this is to add the asp.net dll to the Wildcards applications map of the website. Which then prevents the script from running.

This raises a question for me, Do I have DNN configured correctly, or did I misunderstand the documentation?  If I didn't at least everyone has a quick fix they can do to to stop this vulnerability from being exploited.

A bit of both.  First, only those authorized to upload files can do this.  And frankly, if they can upload files, they don't need to go to this effort to have a malicious script appear, they can just upload it.  And second, DNN is ASP.NET.  Why would you have ASP Classic enabled on the server when you aren't using it?

There are a ton of ways to secure against this, most of which are done in IIS 6 by default, so you need to actively enable this ability on a server to begin with.  It's kind of hard for me to classify anything as a security vulnerability when the admin has to enable it.  The real security vulnerability is the admin, who could just as easily set a blank administrator password to allow security vulnerabilities.

Rick,

I am going to disagree with you a bit here.

1.) Hosting companies and site administrators have the ability on a website by website basis to enable and disable services for each site.  Part of proper IIS security baselines SHOULD BE to ensure that no services are running or supported that are not needed.  For example no .asp or .php if you are .NET only.  Yes, if a site is running a mix, etc that is something else to deal with.

2.) I will agree that this is an issue, but in all reality, not something that is 100% DNN's responsibility to manage.  How would DNN support this, other than to potentially prohibit uploading files that contain a ; character.  The reason I say this is if the file has two extensions, which to we "accept", which is there.

This is an overall security concern at the server level, in that the server, processes files in a way that is considered un-natural.  Should DNN or other web-applications correct against this if possilbe?  Sure, but this is not a DNN issue.

Secondly, no matter how much you protect your site, extension limiting alone, is NOT something that is 100% foolproof.  To your point of internal, malicious users with access that you have given them permissions, they can still do things...