Microsoft IIS Active Server Page Header DoS

2003-04-18T00:00:00
ID OSVDB:4863
Type osvdb
Reporter Parcifal Aertssen(parcifal@aqtronix.com)
Modified 2003-04-18T00:00:00

Description

Vulnerability Description

Microsoft IIS contains a flaw that may allow a remote attacker to exhaust the available memory and force it to restart. The issue is due to IIS not limiting the memory available for constructing headers to be returned to a web client. If an attacker uploaded a specially crafted ASP page that returned an overly large header to the requesting client, IIS will run out of memory.

Technical Description

An attacker must have the ability to upload files to the IIS server.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

Short Description

Microsoft IIS contains a flaw that may allow a remote attacker to exhaust the available memory and force it to restart. The issue is due to IIS not limiting the memory available for constructing headers to be returned to a web client. If an attacker uploaded a specially crafted ASP page that returned an overly large header to the requesting client, IIS will run out of memory.

References:

Vendor URL: http://www.microsoft.com Other Advisory URL: http://www.aqtronix.com/Advisories/AQ-2003-01.txt Microsoft Security Bulletin: MS03-018 Microsoft Knowledge Base Article: 811114 Keyword: AQTRONIX Security Advisory AQ-2003-01 CVE-2003-0225