ASP.NET vulnerability affecting PHP sites on IIS
Microsoft has recently released a Security Advisory about a security vulnerability in ASP.NET. This vulnerability exists in all versions of ASP.NET. The PHP applications running on IIS are also subject to this vulnerability if ASP.NET is enabled in IIS.
IMPORTANT: Even if PHP application is not using any of the ASP.NET features the vulnerability still exists as long as ASP.NET is enabled.
More information about the vulnerability can be found at the following links:
- Microsoft Security Advisory
- Security Research and Defense Blog
- Scott Guthrie's blog about ASP.NET security vulnerability
- FaQ about about security vulnerability on Scott Guthrie's blog
This blog post describes how to protect you PHP applications on IIS from attacks that exploit this vulnerability.
How to protect your PHP sites on IIS?
Microsoft is working on releasing a patch that fixes this security vulnerability. Until the patch is released there are two options that exist today for protecting your PHP applications on IIS.
- If you do not need ASP.NET then disable it on the server
- If you need ASP.NET then apply the workaround described in Scott Guthrie's blog.
How to disable ASP.NET on IIS 6?
To disable ASP.NET on IIS 6 run the aspnet_regiis tool for every .NET version as shown below:%WINDIR%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis /u Start uninstalling ASP.NET (2.0.50727). ...................................................... Finished uninstalling ASP.NET (2.0.50727). %WINDIR%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis /u Start uninstalling ASP.NET (1.1.4322.0). Finished uninstalling ASP.NET (1.1.4322.0).
How to disable ASP.NET on IIS 7?
To disable ASP.NET on IIS 7 follow these steps:
- In the Windows Start Menu choose a€oRun:a€¯, type a€oCompMgmtLaunchera€¯ and click a€oOka€¯;
- Select the a€oWeb Server (IIS)a€¯ role, then click a€oRemove Role Servicesa€¯ and then disable the a€oASP.NETa€¯ and a€o.NET Extensibilitya€¯ checkbox under a€oApplication Developmenta€¯ group:
How to apply the workaround?
If your IIS server is used to host both ASP.NET and PHP or if your PHP web site uses any ASP.NET features, then disabling the ASP.NET on the server is not an option for you. Instead you will need to apply the workaround that is described in details in Scott Guthrie's blog: