A vulnerability has been identified in the Microsoft Internet Information Services (IIS) where the server in incorrectly handling files with multiple extensions separated by the “;” character such as “malicious.asp;.jpg” as an ASP file. This allows attackers to upload malicious. executable’s on a vulnerable web server, bypassing file extension protections and restrictions. This bug does not work with ASP.Net technology as the.Net technology cannot recognize “Malicious.aspx;. as a.Net file and shows a “page notfound” error.
Source: https://thehackernews.com/2010/11/vulnerability-microsoft-iis-zero-day.html