IIS DoS via Chunked Encoding

 
Chunked Encoding via Post Method
Reported March 20, 2000 by
Petteri Stenius
VERSIONS EFFECTED
  • Microsoft Internet Information Server 4.0

DESCRIPTION

According to Microsoft"s report on the matter, "IIS 4.0 supports chunked encoding transfers, but does not limit the size of the buffer that can be reserved. This would allow a malicious user to request an extremely large buffer for a POST or PUT operation, but never actually send data, thereby blocking memory on the server that had been allocated to the session. If sufficient memory on the server were blocked in this fashion, it could prevent the server from performing useful work."

VENDOR RESPONSE

Microsoft has issued a patch for Intel and Alpha platforms, a FAQ, and Support Online article Q252693

For further information, refer to RFC 2616, Hypertext Transfer Protocol - HTTP 1.1

CREDITS
Discovered and reported by
Petteri Stenius
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish