The Forum has been Updated
The code has been upgraded to the latest .NET core version. Please check instructions in the Community Announcements about migrating your account.
I have a asp operated photo gallery that permitted .gif files to be uploaded (that's been changed!)
A hacker uploaded and used a file named zor.asp;.gif to get in.
Here's a text copy for anyone interested: link Original file was named: zor.asp;.gif
A hacker uploaded and used a file named zor.asp;.gif to get in.
Here's a text copy for anyone interested: link Original file was named: zor.asp;.gif
Posted
I did that, there is a forum I help with that uses some sort of photo gallery vulnerable to this as well, and removing the semicolon meant that the file was no longer executed. I did it with an asp file, sothe code was displayed instead, as if it was a text file.
Posted
For some reading enjoyment: http://blogs.iis.net/nazim/archive/2009/12/29/public-disclosure-of-iis-security-issue-with-semi-colons-in-url.aspx
Posted
Seems quite an old issue!