Reported June 12, 2002, by Microsoft.

VERSIONS AFFECTED

 

·         Microsoft Internet Information Services (IIS) 5.0

·         Microsoft Internet Information Server (IIS) 4.0

 

DESCRIPTION

A buffer overrun condition exists in IIS 5.0 and 4.0 that can lead to remote compromise of the affected system. This vulnerability stems from an unchecked buffer in the Internet Server API (ISAPI) extension that implements HTR.

VENDOR RESPONSE

The vendor, Microsoft, has released Security Bulletin MS02-028 (Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise) to address this vulnerability. This vulnerability doesn't affect users who don't use the HTR functionality. Microsoft recommends that only affected users download and apply the appropriate patch mentioned in the bulletin.

 

CREDIT
Discovered by eEye Digital Security.