CVE-2009-4445
Severity CVSS v4.0:
Pending analysis
Type:
CWE-20
Input Validation
Publication date:
29/12/2009
Last modified:
09/04/2025
Description
Microsoft Internet Information Services (IIS), when used in conjunction with unspecified third-party upload applications, allows remote attackers to create empty files with arbitrary extensions via a filename containing an initial extension followed by a : (colon) and a safe extension, as demonstrated by an upload of a .asp:.jpg file that results in creation of an empty .asp file, related to support for the NTFS Alternate Data Streams (ADS) filename syntax. NOTE: it could be argued that this is a vulnerability in the third-party product, not IIS, because the third-party product should be applying its extension restrictions to the portion of the filename before the colon.
Impact
Base Score 2.0
6.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:microsoft:internet_information_services:*:*:*:*:*:*:*:* | 6.0 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://securitytracker.com/id?1023387=
- http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf
- https://exchange.xforce.ibmcloud.com/vulnerabilities/55308
- http://securitytracker.com/id?1023387=
- http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf
- https://exchange.xforce.ibmcloud.com/vulnerabilities/55308