Denial of Service in Internet Information Server 5.0

Reported March 8, 2001, by Microsoft.


  • Microsoft Internet Information Services 5.0


Microsoft IIS 5.0 uses an extension to the HTTP protocol called WWW Distributed Authoring and Versioning (WebDAV) as defined in RFC 2518. A malicious attacker can use this protocol to author and manage Web content remotely. A vulnerability exists in the way WebDAV processes malformed requests, resulting in the IIS services consuming all available CPU time. This condition holds true only for as long as an attacker sends these malformed requests to a vulnerable server. Because the default security settings don't permit publishing, the attacker cannot use this vulnerability to modify data on the affected server or process WebDAV requests.


Microsoft has issued security bulletin MS01-016 to address this vulnerability. Affected users should apply the patch available from Microsoft. The information in MS Knowledge Base article Q291845 now supersedes MS Knowledge Base article Q241520.


Discovered by Georgi Guninski.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.