Multiple Vulnerabilites in Microsoft IIS

Reported May 28, 2003, by Microsoft.





  • Microsoft Internet Information Services (IIS) 5.1 and 5.0

  • Microsoft Internet Information Server (IIS) 4.0




Four new vulnerabilities exist in IIS 5.1, 5.0, and 4.0, the most serious of which can result in the execution of arbitrary code on the vulnerable system. These four new vulnerabilities consist of the following:

  • A Cross-Site Scripting (CSS) vulnerability affecting IIS 5.1, 5.0, and 4.0 involves an error message about the redirection of a requested URL. By getting a user to click a link on a Web site, an attacker can relay a request containing script to a third-party Web site running IIS, thereby causing the third-party site's response (still including the script) to be sent to the user. The script would then use the security settings of the third-party site (rather than the attacker's site) to render.

  • A buffer overrun results from IIS 5.0's incorrect validation of requests for certain types of Web pages, known as server side includes. An attacker would need to be able to upload a server-side include page to a vulnerable IIS server. If the attacker then requested this page, a buffer overrun could permit the attacker to execute code of his or her choice on the server with user-level permissions.

  • A Denial of Service (DoS) vulnerability results from a flaw in the way IIS 5.0 and 4.0 allocate memory requests when constructing headers to be returned to a Web client. An attacker would need to be able to upload an ASP page to a vulnerable IIS server. This ASP page, when called by the attacker, would attempt to return an extremely large header to the calling Web client. Because IIS doesn't limit the amount of memory that can be used in this case, this scenario could case IIS to fail as a result of running out of local memory.

  • A DoS vulnerability results from IIS 5.1 and 5.0 incorrectly handling an error condition when an overly long WebDAV request is passed to them. As a result, an attacker could cause IIS to fail. However, by default, both IIS 5.1 and 5.0 restart immediately after this failure.





Microsoft has released Security Bulletin MS03-018, "Cumulative Patch for Internet Information Service (811114)," to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin.



Discovered by SPIDynamics SPI Labs and NSFocus.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.