ASP.NET vulnerability affecting PHP sites on IIS

Update on Sep 28th, 2010: The security update for the vulnerability is available. More details can be found at PHP on IIS: get the latest security updates now.

Microsoft has recently released a Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET. The PHP applications running on IIS are also subject to this vulnerability if ASP.NET is enabled in IIS.

IMPORTANT: Even if PHP application is not using any of the ASP.NET features the vulnerability still exists as long as ASP.NET is enabled.

More information about the vulnerability can be found at the following links:

This blog post describes how to protect you PHP applications on IIS from attacks that exploit this vulnerability.

How to protect your PHP sites on IIS?

Microsoft is working on releasing a patch that fixes this security vulnerability. Until the patch is released there are two options that exist today for protecting your PHP applications on IIS.

  1. If you do not need ASP.NET then disable it on the server
  2. If you need ASP.NET then apply the workaround described in Scott Guthrie’s blog.

How to disable ASP.NET on IIS 6?

To disable ASP.NET on IIS 6 run the aspnet_regiis tool for every .NET version as shown below:

%WINDIR%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis /u
Start uninstalling ASP.NET (2.0.50727).
......................................................
Finished uninstalling ASP.NET (2.0.50727).

%WINDIR%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis /u
Start uninstalling ASP.NET (1.1.4322.0).
Finished uninstalling ASP.NET (1.1.4322.0).

How to disable ASP.NET on IIS 7?

To disable ASP.NET on IIS 7 follow these steps:

  1. In the Windows Start Menu choose “Run:”, type “CompMgmtLauncher” and click “Ok”;
  2. Select the “Web Server (IIS)” role, then click “Remove Role Services” and then disable the “ASP.NET” and “.NET Extensibility” checkbox under “Application Development” group:

How to apply the workaround?

If your IIS server is used to host both ASP.NET and PHP or if your PHP web site uses any ASP.NET features, then disabling the ASP.NET on the server is not an option for you. Instead you will need to apply the workaround that is described in details in Scott Guthrie’s blog:

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

19,032 views

ruslany on September 22nd 2010 in PHP

PoorFairAverageGoodExcellent (No Ratings Yet)

4 Responses to “ASP.NET vulnerability affecting PHP sites on IIS”

  1. Gravatar ImageNorthernIndustrialist responded on 23 Sep 2010 at 3:39 am #

    “How to protect your PHP sites on IIS?”

    Install Linux.

  2. Gravatar ImageRovastar responded on 23 Sep 2010 at 4:53 am #

    As PHP is vulnerable when ASP.NET is installed.

    Is also classic asp also affected?

    I imagine they will all the frameworks will run in that app pool…….

  3. Gravatar Imageruslany responded on 23 Sep 2010 at 12:11 pm #

    Hi Rovastar, yes – classic asp is also affected if asp.net handler mappings exists and can be called on the site.

  4. Gravatar ImageRuslanY Blog responded on 28 Sep 2010 at 1:45 pm #

    PHP on IIS: get the latest security updates now…

    This morning Microsoft has released a security update that addresses the ASP.NET Security Vulnerability. The PHP applications running on IIS are subject to this vulnerability if ASP.NET is enabled in IIS. IMPORTANT: Even if PHP applications on IIS do n…

Trackback URI | Comments RSS

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

XML Markup: If You want to add XML code to the comment please XML encode it first, otherwise the code will not show up.

Recently Published Articles