1

Not sure if this is default behaviour, however on one of our Windows Server 2008 R2 boxes we've noticed one of our websites has .cer files under a folder called /scripts.

The .cer file contains ASP script which allows the intruder to browse the ENTIRE file system on the server, delete files, create files etc.

We've identified the security issue as to how this file managed to be created (FCKEditor security bug), however when browsing to:

http://site/cert.cer

The .cer file executes as an ASP script.

Having checked the handler mappings, we see .cer is mapped to %windir%\system32\inetsrv\asp.dll, which explains why the ASP script is being executed.

Is this default behaviour for IIS 7.5, and surely this is a security risk?

Robcyb
  • 13
  • 4

1 Answers1

1

That mapping is there by default in IIS7. Both *.asp and *.cer are mapped to asp.dll. They are the only two extensions mapped to Classic ASP by default.

I'm not sure the reason for the .cer default. It's obviously something legacy for Classic ASP but I haven't personally needed to call a .cer extension directly in Classic ASP.

Based on your situation, I would say that you should remove the .cer mapping and test the ensure that your Classic ASP site still works. If it does, then make sure to remove that mapping on all of your existing and new servers.

It doesn't open up anything more than .asp does as long as you don't leave .cer files within your site path. But, your particular exploit leveraged the .cer extension so you would be wise to remove any possible door that they would use.

Scott Forsyth
  • 16,339
  • 3
  • 36
  • 55