Security Bulletin

Microsoft Security Bulletin MS00-018 - Important

Patch Available for "Chunked Encoding Post" Vulnerability

Published: March 20, 2000

Version: 1.0

Originally Posted: March 20, 2000

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Internet Information Server 4.0. The vulnerability could allow a malicious user to consume all resources on a web server and prevent it from servicing other users.

Frequently asked questions regarding this vulnerability can be found at https://www.microsoft.com/technet/security/bulletin/fq00-018.mspx.

General Information

Issue

IIS 4.0 supports chunked encoding transfers, but does not limit the size of the buffer that can be reserved. This would allow a malicious user to request an extremely large buffer for a POST or PUT operation, but never actually send data, thereby blocking memory on the server that had been allocated to the session. If sufficient memory on the server were blocked in this fashion, it could prevent the server from performing useful work. There is no capability through this attack to create, modify or delete data on the server, nor is there any capability to usurp administrative control of the server. If the malicious user closed his session, the memory would be released and the server's operation would return to normal. Otherwise, the machine could be put back into normal service by stopping and restarting the service.

Affected Software Versions

  • Microsoft Internet Information Server 4.0

Vulnerability Identifier: CVE-2000-0226

Patch Availability

NOTE: Additional security patches are available at the Microsoft Download Center

More Information

Please see the following references for more information related to this issue.

Obtaining Support on this Issue

This is a fully supported patch. Information on contacting Microsoft Technical Support is available at https:

Acknowledgments

Microsoft thanks Petteri Stenius for reporting this issue to us and working with us to protect customers.

Revisions

  • March 20, 2000: Bulletin Created.

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Built at 2014-04-18T13:49:36Z-07:00 </https:>