Script mappings associate a particular file extension, such as .asp, to the ISAPI extension that handles it, such as Asp.dll. IIS is configured to support a range of extensions including .asp, .shtm, .hdc, and so on. ASP.NET HTTP handlers are a rough equivalent of ISAPI extensions. In IIS, file extensions, such as .aspx, are first mapped in IIS to Aspnet_isapi.dll, which forwards the request to the ASP.NET worker process. The actual HTTP handler that processes the file extension is then determined by the <HttpHandler> mapping in Machine.config or Web.config.
The main security issues associated with script mappings are:
An attacker could exploit a vulnerability found in an extension.
This could occur if a vulnerability in ...