Microsoft Internet Information Server is vulnerable to a denial of service.
This particular denial of service affects versions 2.0, 3.0 and 4.0 of the
server prior to service pack 4.
The denial of service is initiated by sending a long URL of specific
length to the server; the actual length required varies between installations
but is typically between 4 and 8k.
The URL which causes this issue is of the format http://server/?anything=XXXXX
- note that no existing file need be requested. It appears that the condition is
related to the handling of CGI variable values.
This is not a buffer overflow; a URL of specific length must be sent, anything
longer or shorter will not affect the server. The threshold varies from system to system.