PhpRiot
News Archive
PhpRiot Newsletter
Your Email Address:

More information

ASP.NET vulnerability affecting PHP sites on IIS

Note: This article was originally published at Planet PHP on 23 September 2010.
Planet PHP

Microsoft has recently released a Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET. The PHP applications running on IIS are also subject to this vulnerability if ASP.NET is enabled in IIS.

IMPORTANT: Even if PHP application is not using any of the ASP.NET features the vulnerability still exists as long as ASP.NET is enabled.

More information about the vulnerability can be found at the following links:

This blog post describes how to protect you PHP applications on IIS from attacks that exploit this vulnerability.

How to protect your PHP sites on IIS?

Microsoft is working on releasing a patch that fixes this security vulnerability. Until the patch is released there are two options that exist today for protecting your PHP applications on IIS.

  1. If you do not need ASP.NET then disable it on the server
  2. If you need ASP.NET then apply the workaround described in Scott Guthrie's blog.

How to disable ASP.NET on IIS 6?

To disable ASP.NET on IIS 6 run the aspnet_regiis tool for every .NET version as shown below:

%WINDIR%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis /u Start uninstalling ASP.NET (2.0.50727). ...................................................... Finished uninstalling ASP.NET (2.0.50727). %WINDIR%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis /u Start uninstalling ASP.NET (1.1.4322.0). Finished uninstalling ASP.NET (1.1.4322.0).

How to disable ASP.NET on IIS 7?

To disable ASP.NET on IIS 7 follow these steps:

  1. In the Windows Start Menu choose aoRun:a, type aoCompMgmtLaunchera and click aoOka;
  2. Select the aoWeb Server (IIS)a role, then click aoRemove Role Servicesa and then disable the aoASP.NETa and ao.NET Extensibilitya checkbox under aoApplication Developmenta group:

How to apply the workaround?

If your IIS server is used to host both ASP.NET and PHP or if your PHP web site uses any ASP.NET features, then disabling the ASP.NET on the server is not an option for you. Instead you will need to apply the workaround that is described in details in Scott Guthrie's blog:

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx