COMMAND

    IIS

SYSTEMS AFFECTED

    IIS 4.0, 5.0 (upgraded from IIS 3.0)

PROBLEM

    Peter Grundl found following.  A system with Internet  Information
    Server 4.0  or 5.0  that was  upgraded from  3.0, contains  unused
    remains from 3.0 due to functionality changes in 4.0.  Since  it's
    easy to "accidentally"  install 3.0 when  you install the  server,
    there is bound to  be quite a few  systems out there that  haven't
    cleaned out the  no longer used  scripts and thus  are vulnerable.
    Issuing  a  malformed  request  for  a  certain  file contained in
    /scripts/iisadmin can  result in  the webserver  going into  to an
    infinite  loop,  causing  the  web  server  to  no  longer  accept
    requests.  The service will continue  to "pick up" on TCP port  80
    (or  where  ever  you  installed  it),  but  will  not honour HTTP
    requests.   During testing  of this,  it was  usually necessary to
    reboot the machine in order for IIS to start working again, simply
    attempting to stop and start inetinfo did not work.

SOLUTION

    Microsoft  has  released  the  following  bulletin  concerning the
    issue, including a patch:

        http://www.microsoft.com/technet/security/bulletin/MS00-044.asp

    Fix:

        IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22709
        IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22708