Microsoft IIS long GET request denial of service
| iis-get-dos (1823) |  Medium Risk |
Description:
Microsoft Internet Information Server (IIS) is vulnerable to a denial of service attack. A remote attacker can send a specially-crafted GET request containing long character string to the Web server to cause the server to consume all available resources. The server must be restarted in order to regain normal functionality.
Platforms Affected:
- Microsoft, IIS 3.0
- Microsoft, IIS 4.0
Remedy:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS98-019. See References.
Consequences:
Denial of Service
References:
- Microsoft Knowledge Base Article 192296, Specially-Malformed GET Requests Can Create a Denial of Service in W3 Server at http://support.microsoft.com/default.aspx?scid=kb;[LN];192296.
- Microsoft Security Bulletin MS98-019, Patch Available for IIS "GET" Vulnerability at http://www.microsoft.com/technet/security/bulletin/ms98-019.mspx.
- BID-6789: Microsoft IIS Malformed HTTP Get Request Denial Of Service Vulnerability
- CVE-1999-1035: IIS 3.0 and 4.0 on x86 and Alpha allows remote attackers to cause a denial of service (hang) via a malformed GET request, aka the IIS GET vulnerability.
Reported:
Dec 17, 1998
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net