| VID |
22035 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The IIS web server appears not to be installed the hotfix for 'Cumulative Patch for IIS' (Q319733).
This patch is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. In addition to including previously released security patches, this patch also includes fixes for the following newly discovered security vulnerabilities affecting IIS 4.0, 5.0 and/or 5.1:
o Buffer overrun in Chunked Encoding mechanism: CAN-2002-0079
o Microsoft-discovered variant of Chunked Encoding buffer overrun: CAN-2002-0147
o Buffer Overrun in HTTP Header handling: CAN-2002-0150
o Buffer Overrun in ASP Server-Side Include Function: CAN-2002-0149
o Buffer overrun in HTR ISAPI extension: CAN-2002-0071
o Access violation in URL error handling: CAN-2002-0072
o Denial of service via FTP status request: CAN-2002-0073
o Cross-site Scripting in IIS Help File search facility: CAN-2002-0074
o Cross-site Scripting in HTTP Error Page: CAN-2002-0148
o Cross-site Scripting in Redirect Response message: CAN-2002-0075
* References:
http://www.iss.net/security_center/static/8811.php
Affected Software:
Microsoft Internet Information Server 4.0
Microsoft Internet Information Services 5.0
Microsoft Internet Information Services 5.1 |
| Recommendation |
Upgrade to IIS of at least 6.0 version. |
| Related URL |
CVE-2002-0644,CVE-2002-0645 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
