I just got a message from a security guy that my application is executing remote code if they pass a Content-Type: image/asp
. For now he does not disclose anything. Now my question is that if I am using ASP.NET 5 MVC application using IIS webserver on Windows Server 2012 R2, can you send a specific content-type to web server in order to do remote code execution?
IIS, like most web application servers, automatically recognizes requests for URLs that contain server-side code and executes that code on the server. This means that, if I can upload a .ASP or .ASPX or similar file to your server, and then send a request to a URL that maps to the uploaded file, IIS will load the file and execute the code it contains. This code will execute in the user context of the IIS service, which generally has restricted privileges but nonetheless has access to lots of sensitive data (at minimum, all of the data that your webapp has any legitimate need for, TLS private keys, system-wide environment variables, and so on) plus of course it can be used to attempt internal network pivots or local EoP attacks.
There are a few ways to prevent this code execution risk. This is not a comprehensive list - I haven't done any IIS sysadmin work in over a decade, and am not fully familiar with its behavior these days - but it should get you started.
External links referenced by this document: