Rapid7 Vulnerability & Exploit Database

Microsoft IIS ISAPI Error Handling Denial of Service

Back to Search

Microsoft IIS ISAPI Error Handling Denial of Service

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
04/22/2002
Created
07/25/2018
Added
11/01/2004
Modified
12/04/2013

Description

A denial of service vulnerability involving the way IIS 4.0, 5.0, and 5.1 handle an error condition from ISAPI filters. At least one ISAPI filter (which ships as part of FrontPage Server Extensions and ASP.NET), and possibly others, generate an error when a request is received containing an URL that exceeds the maximum length set by the filter. In processing this error, the filter replaces the URL with a null value. A flaw results because IIS attempts to process the URL in the course of sending the error message back to the requester, resulting in an access violation that causes the IIS service to fail.

Solution(s)

  • http-iis-0057

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;