Reported June 6, 2002, by Microsoft.

VERSION AFFECTED

 

·         Microsoft ASP.NET component of the Microsoft .NET Framework 1.0

 

DESCRIPTION

A vulnerability exists in the ASP.NET component of the Microsoft .NET Framework 1.0 that can result in a Denial of Service (DoS) condition or execution of arbitrary code on the vulnerable system. This vulnerability stems from an unchecked buffer in a routine that handles cookie processing in the StateServer mode. StateServer mode, however, is not the default session state mode for session management. This vulnerability is present only when the vulnerable system is using StateServer mode in conjunction with cookies.

VENDOR RESPONSE

The vendor, Microsoft, has released Security Bulletin MS02-026 to address this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin.

 

CREDIT
Discovered by Microsoft.