IIS Denial of Service and Code Exposure

IIS Denial of Service and Code Exposure
Reported May 11 by
Cerberus Information Security

  • Internet Information Server 4.0
  • Internet Information Server 5.0


    Internet Information Server contains two security vulnerabilities in the ISAPI extension (ISM.DLL) that provides web-based password administration via .htr scripts files.

    One vulnerability is a denial of service issue that can occur when a user provides a password change request that was missing an expected delimiter. This effectively crashes the ISAPI extension as well as degrades the overall performance of the IIS server.

    In addition, the extension could allow fragments of certain files to be read by providing a malformed request that would cause the .htr processing to be applied to those files.

    According to the discoverers, by building a URL with a desired file name which has 230 or more spaces appended before the .htr suffix, IIS will map the request to the ISM.DLL return the contents of the file. The attack can only be launched once though, unless the web service is stopped and restarted. If a .htr request has already been made to the machine then this attack will fail. It will only work when ISM.DLL is loaded into memory for the first time.


    Microsoft has issued a patch for the problem.

    Internet Information Server 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20905 - Internet Information Server 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20903

    Discovered and reported by Cerberus Information Security

  • Hide comments


    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.