Further, IIS could run a file having any extension in the form of an ASP (Active Server Page) or as executable extensions of other types. According to Dalili, an example of this is "malicious.asp;.jpg" which runs on a server as an .asp file, as reported by V3 on December 26, 2009.

Several web-programs are so designed that they reject uploading of executable files. For example, when ASPs that usually contain the ".asp" extension add ";.jpg" or any other harmless extension to some malevolent file, it enables attackers to evade filters and possibly dupe and get a server to execute the malicious software.

Dalili added that several file uploading programs defended a computer by checking merely the filename's last portion as the extension. This flaw allows an attacker to escape the defense and load certain risky executable file on the system, he explained.

Indeed, Dalili presented an exemplified attack to make his argument stronger. He said that suppose a website which accepted only JPG files to serve as the avatars of users. Therefore, the users could load their avatars on the Internet-connected system. Similarly, an attacker could attempt to load "Avatar.asp;.jpg" on that system. The web program would identify the upload as a JPG file.

Consequently, the file would receive the consent to be loaded on the server. However, if the attacker viewed that file, IIS would regard it as a file with an .asp extension. It would also attempt to run it as a file of the ASP Dynamic Link Library type, Dalili explained.

Incidentally, the exploration of flaw continues and some disagreements have emerged about its seriousness. While Dalili assigns the flaw a "highly critical" rating, Secunia the vulnerability tracker calls it "less critical."

Moreover, some reports state that the software giant Microsoft is investigating the flaw.