Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
A variety of vulnerabilities exist in various versions of Microsoft
IIS. Some of these vulnerabilities may allow an intruder to execute
arbitrary code on vulnerable systems.
There are a variety of vulnerabilities in Microsoft IIS. Many of
these vulnerabilities are buffer overflows that could permit an
intruder to execute arbitrary code on vulnerable systems. Additional information about these vulnerabilities is available at
For many of the vulnerabilities, an intruder could execute arbitrary
code with privileges that vary according to which version of IIS is
running. In general, IIS 4.0 permits an intruder to execute code with
complete administrative privileges, while IIS 5.0 and 5.1 permit an
intruder to execute code with the privileges of the IWAM_computername
account.
Microsoft Corporation has released Microsoft Security Bulletin
MS02-018, which announces the availability of a cumulative patch to
address a variety of problems. We strongly encourage you to read this
bulletin and take the appropriate corrective measures. MS02-018 is
available at
In addition to applying the patch, or until it can be applied, we
recommend the following actions:
Our thanks to Microsoft Corporation for the information contained in
their advisory. Additionally, our thanks go to the various individuals
and organizations whom Microsoft identified as discovering the vulnerabilities, including eEye Digital Security (http://www.eeye.com),
Serge Mister of Entrust, Inc. (http://www.entrust.com), Dave Aitel of
@Stake (http://www.atstake.com), Peter Grundl of KPMG, Joe Smith
(jsm1th@hotmail.com) and zenomorph (admin@cgisecurity.com) of http://www.cgisecurity.com, Keigo Yamazaki of the LAC SNS Team
(http://www.lac.co.jp/security/), and Thor Larholm of Jubii A/S.
Author: Shawn V. Hernan
Copyright 2002 Carnegie Mellon University. Revision History
Systems Affected
Overview
I. Description
http://www.kb.cert.org/vuls/id/363715
CAN-2002-0071
Microsoft Internet Information Server (IIS) vulnerable to heap overflow
during processing of crafted ".htr" request by "ISM.DLL" ISAPI filter
http://www.kb.cert.org/vuls/id/883091
CAN-2002-0074
Microsoft Internet Information Server (IIS) contains cross-site scripting
vulnerability in IIS Help Files search facility
http://www.kb.cert.org/vuls/id/886699
CAN-2002-0148
Microsoft Internet Information Server (IIS) contains cross-site scripting
vulnerability in HTTP error page results
http://www.kb.cert.org/vuls/id/520707
CAN-2002-0075
Microsoft Internet Information Server (IIS) contains cross-site scripting
vulnerability in redirect response messages
http://www.kb.cert.org/vuls/id/412203
CAN-2002-0073
Microsoft Internet Information Server (IIS) vulnerable to DoS via malformed
FTP connection status request
http://www.kb.cert.org/vuls/id/454091
CAN-2002-0150
Microsoft Internet Information Server (IIS) vulnerable to buffer overflow
via inaccurate checking of delimiters in HTTP header fields
http://www.kb.cert.org/vuls/id/721963
CAN-2002-0149
Microsoft Internet Information Server (IIS) buffer overflow in server-side
includes (SSI) containing long invalid file name
http://www.kb.cert.org/vuls/id/521059
CAN-2002-0072
Microsoft Internet Information Server (IIS) vulnerable to DoS when URL request
exceeds maximum allowed length
http://www.kb.cert.org/vuls/id/610291
CAN-2002-0079
Microsoft Internet Information Server (IIS) buffer overflow in chunked encoding
transfer mechanism
http://www.kb.cert.org/vuls/id/669779
CAN-2002-0147
Microsoft Internet Information Server (IIS) buffer overflow in chunked encoding
transfer mechanism
II. Impact
III. Solution
April 11, 2002: Initial release