Microsoft IIS Response.AddHeader denial of service

iis-responseaddheader-dos (12099) The risk level is classified as MediumMedium Risk

Description:

Microsoft Internet Information Server (IIS) is vulnerable to a denial of service, caused by a vulnerability in the Response.AddHeader ASP function. By creating a specially-crafted ASP file containing malicious code, a remote attacker with privileges to upload ASP files could upload this malicious file to a vulnerable IIS server and then request this page to cause an overly large header to be created. The attacker could consume all available memory resources, which would cause the IIS server to fail, and may need to be restarted to regain normal functionality.


Consequences:

Denial of Service

Remedy:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS03-018. See References.

References:

  • CIAC Information Bulletin N-098: Microsoft Cumulative Patch for Internet Information Service (IIS).
  • Microsoft Security Bulletin MS03-018: Cumulative Patch for Internet Information Service (811114).
  • BID-7728: Microsoft Internet Information Service Multiple Vulnerabilities
  • BID-7733: Microsoft IIS ASP Header Denial Of Service Vulnerability
  • CVE-2003-0225: The ASP function Response.AddHeader in Microsoft Internet Information Server (IIS) 4.0 and 5.0 does not limit memory requests when constructing headers, which allow remote attackers to generate a large header to cause a denial of service (memory consumption) with an ASP page.

Platforms Affected:

  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Server 5.0

Reported:

May 28, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page