XSS from Semicolon Vulnerability in Microsoft IIS/6.0

Hello everyone, this is my first blog.

In this write-up, I’ll tell you how I was able to find “XSS via Semicolon(;) Vulnerability in Server: Microsoft-IIS/6.0”

On this web application, their is functionality called “Create New Entry” from where we can create a new entry by uploading a image, which is further uploaded/updated in photo gallery of web application.

Detailed Steps:

Step 1: Log in to the application using valid user credentials

Step 2: Navigate to the “Photo Gallery” tab and click on “Create New Entry”.

Step 3: Upload any image file and intercept the request using a web-proxy tool like “Burp”. (Image name: abcd.png)

Step 4: Rename the file from “abcd.png” to “abcd.asp;.png”. Replace the image content with a malicious script, as mentioned below and forward the request. The response coming from the server indicates that the malicious file is uploaded successfully (200 OK).

“><img src=x onerror=alert”xss”)>

Rename the file from “abcd.png” to “abcd.asp;.png”

Note: Microsoft Internet Information Services (IIS) 5.x and 6.x uses only the portion of a filename before a ; (semicolon) character to determine the file extension, which allows remote attackers to bypass intended extension restrictions of third-party upload applications via a filename with a (1) .asp, (2) .cer, or (3) .asa first extension, followed by a semicolon and a safe extension, as demonstrated by the use of asp.dll to handle a .asp;.jpg file. (https://www.cvedetails.com/cve/CVE-2009-4444/)

Step 5: Click the “Save” button. It was observed that the gallery is created successfully. This is shown in the screenshots below.

Click on “Save” to upload image on gallery

Gallery created successfully

Step 6: Now, go to the “Photo Gallery” tab. It was observed that the gallery is updated successfully.

Step 7: Copy the path of uploaded file.

Copy the Path/Location, were the image file has been uploaded

Step 8: Paste the copied file path in the address bar and click “Enter”.

Step 9: The XSS script entered, gets reflected in the response without output sanitization, and thus gets executed at the browser.

BOOM!

Note:

XSS script will not get reflected if you will try with filename such as “abcd.png” or “abcd.asp.png”.

XSS will only get reflected, when SEMICOLON is in placed, E.g.(abcd.asp;.png)

So it was a cool bug and it’s super easy.

Suggestions are most welcome as always. I will keep posting my findings. If you got anything from it, you can press the clap icon below and ya, don’t forget to follow me on linkedin & twitter as well. See you all next time. :)

Cheers!