Malformed "GET" URLs Can Crash IIS
Reported December 21, 1998 by Eugene Kalinin and Brian Steele

VERSIONS AFFECTED

  • Internet Information Server 3.0 and 4.0

DESCRIPTION

Malformed URLs consisting of the GET statement and other erroneous data can cause the IIS service to consume all available resources and render the service unresponsive.

SOLUTION

Information about the problem resides in Knowledge Base article Q192296, "IIS: Patch Available for IIS "GET" Vulnerability."

Microsoft has released the following hot fixes:

IIS 3.0 on Intel platforms: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/Infget-fix/infget3i.exe

IIS 3.0 on Alpha platforms: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/Infget-fix/infget3a.exe

 

IIS 4.0 on Intel platforms: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/Infget-fix/infget4i.exe

IIS 4.0 on Alpha platforms: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/Infget-fix/infget4a.exe

To learn more about NT Security concerns, subscribe to NTSD

Credits
- Originally reported by Eugene and Brian via Microsoft
- Posted on The NT Shop on December 21, 1998