Reported March 8, 2001, by Microsoft.
- Microsoft Internet Information Services 5.0
IIS 5.0 uses an extension to the HTTP protocol called WWW Distributed Authoring
and Versioning (WebDAV) as defined in RFC
2518. A malicious attacker can use this protocol to author and manage Web
content remotely. A vulnerability exists in the way WebDAV processes malformed
requests, resulting in the IIS services consuming all available CPU time. This
condition holds true only for as long as an attacker sends these malformed
requests to a vulnerable server. Because the default security settings don't
permit publishing, the attacker cannot use this vulnerability to modify data on
the affected server or process WebDAV requests.
Microsoft has issued security bulletin MS01-016 to address this vulnerability. Affected users should apply the patch available from Microsoft. The information in MS Knowledge Base article Q291845 now supersedes MS Knowledge Base article Q241520.
Discovered by Georgi Guninski.