|
COMMAND IIS SYSTEMS AFFECTED IIS 4.0, 5.0 (upgraded from IIS 3.0) PROBLEM Peter Grundl found following. A system with Internet Information Server 4.0 or 5.0 that was upgraded from 3.0, contains unused remains from 3.0 due to functionality changes in 4.0. Since it's easy to "accidentally" install 3.0 when you install the server, there is bound to be quite a few systems out there that haven't cleaned out the no longer used scripts and thus are vulnerable. Issuing a malformed request for a certain file contained in /scripts/iisadmin can result in the webserver going into to an infinite loop, causing the web server to no longer accept requests. The service will continue to "pick up" on TCP port 80 (or where ever you installed it), but will not honour HTTP requests. During testing of this, it was usually necessary to reboot the machine in order for IIS to start working again, simply attempting to stop and start inetinfo did not work. SOLUTION Microsoft has released the following bulletin concerning the issue, including a patch: http://www.microsoft.com/technet/security/bulletin/MS00-044.asp Fix: IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22709 IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22708