TUCoPS :: Web :: IIS :: bt298.txt

Internet Information Services 5.0 Denial of service


Internet Information Services 5.0 Denial of service

[Release Date] May 29th, 2003
Severity: High

[Systems Affected]
* Microsoft Information Server 5.0
* Microsoft Information Server 5.1

[Description]

If an attacker sends a Webdav request with a body over 49,153 bytes
using the 'PROPFIND' or 'SEARCH' request methods, IIS will be forced
to restart itself. All web server, email, and active ftp connections
will be terminated, along with a disruption of future sessions during
the time it takes IIS to restart. The complete advisory is also available
from our
website at: http://www.spidynamics.com/iis_alert.html

[Remediation]
Please install the vendor-supplied patch located at
http://www.microsoft.com/technet/security/bulletin/MS03-018.asp

[Contact Information]

SPI Labs
SPI Dynamics R&D Team
spilabs@spidynamics.com
115 Perimeter Center Place
Suite 270
Atlanta, GA 30346
Phone: (678)781-4800
Toll-Free Phone: (866)774-2700


SPI Dynamics was founded in 2000 by a team of accomplished Web security
specialists;
SPI Dynamics is the leader in Web application security technology. With such
signature
products as WebInspect, SPI Dynamics is dedicated to protecting companies'
most valuable
assets. SPI Dynamics has created a new breed of Internet security products
for the Web
application, the most vulnerable yet least secure component of online
business infrastructure.

Copyright (c) 2003 SPI Dynamics, Inc. All rights reserved worldwide.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH