Microsoft IIS 6.0 with PHP installed Authentication Bypass

Affected software:
Microsoft IIS 6.0 with PHP installed (tested on Windows Server 2003 SP1 running PHP5)

Details:
By sending a special request to the IIS 6.0 Service running PHP the attacker can successfully bypass access restrictions.

Take for example:
1.) IIS/6.0 has PHP installed
2.) There is a Password Protected directory configured
–> An attacker can access PHP files in the password protected directory and execute them without supplying proper credentials.
–> Example request (path to the file): /admin::$INDEX_ALLOCATION/index.php

IIS/6.0 will gracefully load the PHP file inside the “admin” directory if the ::$INDEX_ALLOCATION postfix is appended to directory name.
This can result in accessing administrative files and under special circumstances execute arbirary code remotely.

Leave a Reply

Scroll to Top