Reported June 12, 2002, by Microsoft.
· Microsoft Internet Information Services (IIS) 5.0
· Microsoft Internet Information Server (IIS) 4.0
A buffer overrun condition exists in IIS 5.0 and 4.0 that can lead to remote compromise of the affected system. This vulnerability stems from an unchecked buffer in the Internet Server API (ISAPI) extension that implements HTR.
The vendor, Microsoft, has released Security Bulletin MS02-028 (Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise) to address this vulnerability. This vulnerability doesn't affect users who don't use the HTR functionality. Microsoft recommends that only affected users download and apply the appropriate patch mentioned in the bulletin.
Discovered by eEye Digital Security.