Microsoft IIS 7.5 .NET source code disclosure and Authentication Bypass

Affected Software:
Microsoft IIS/7.5 with PHP installed in a special configuration (Tested with .NET 2.0 and .NET 4.0)
The special configuration requires the “Path Type” of PHP to be set to “Unspecified” in the Handler Mappings of IIS/7.5

The authentication bypass is the same as the previous vulnerabilities:
Requesting for example http:///admin:$i30:$INDEX_ALLOCATION/admin.php will run the PHP script without asking for proper credentials.

By appending /.php to an ASPX file (or any other file using the .NET framework that is not blocked through the request filtering rules, like misconfigured: .CS,.VB files)
IIS/7.5 responds with the full source code of the file and executes it as PHP code. This means that by using an upload feature it might be possible (under special circumstances) to execute arbitrary PHP code.

Example: Default.aspx/.php

Leave a Reply

Scroll to Top