| VID |
12015 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The IIS web server is vulnerable to a denial of service attack associated with the Front Page ISAPI filter.
Front Page contain URL parsers for dynamic components(shtml.exe/dll). If a remote attacker send a request for /_vti_bin/shtml.exe where the URL for the dynamic contents is replaced with a long URL, submodule of ISAPI filter will filter out the URL, and return a null value to the web server URL parser. This will cause an access violation and inetinfo.exe will be shut down. On IIS 4.0 servers, the server must be manually restarted. On IIS 5.0 and 5.1 servers, the server will restart itself automatically. Although server are supposed to restart the service with "iisreset", this only works a few times, and service is crashed until an admin manually restarts the service or reboots the server. Although this issue is not present in the Cisco products themselves, a number of Cisco products running IIS are affected by this vulnerability.
* References:
http://online.securityfocus.com/bid/4479
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp
* Platforms Affected:
Microsoft IIS 4.0
Microsoft IIS 5.0
Microsoft IIS 5.1
Cisco Buildig Broadband Service Manager
Cisco Call Manager
Cisco Unity Server |
| Recommendation |
Apply a cumulative patch to address this vulnerability and others.
* For Microsoft IIS 4.0 :
Patch Q319733 IIS 4.0
http://download.microsoft.com/download/iis40/Patch/Q319733/NT4/EN-US/Q319733i.exe
Service Pack Q317636
http://www.microsoft.com/ntserver/terminalserver/downloads/critical/q317636/default.asp
* For Microsoft IIS 5.0 :
Patch Q319733 IIS 5.0
http://download.microsoft.com/download/iis50/Patch/Q319733/NT5/EN-US/Q319733_W2K_SP3_X86_EN.exe
* For Microsoft IIS 5.1 :
Microsoft Patch Q319733 IIS 5.1
http://download.microsoft.com/download/iis50/Patch/Q319733/WXP/EN-US/Q319733_WXP_SP1_x86_ENU.exe
* For Cisco products :
Refer to web site http://online.securityfocus.com/bid/4479/solution/ for Microsoft's cumulative patch.
-- OR --
Remove the mapping of the shtml/shtm ISAPI filters. (for windows 2000)
1. Open Control panel ¡æ Administrative tools ¡æ Internet Services Manager.
2. Choose Properties of the Web Server.
3. Select Home Directory tab ¡æ Application Configuration.
4. Remove .shtml/shtm and sht from the Application mapping tab.
5. Click OK. |
| Related URL |
CVE-2002-0072 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
