Article ID: 260838 - Last Review: July 3, 2008 - Revision: 8.1 MS00-031: IIS stops servicing HTR requestsThis article was previously published under Q260838 NoticeWe strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:http://www.microsoft.com/technet/security/prodtech/IIS.mspx
(http://www.microsoft.com/technet/security/prodtech/IIS.mspx)
For more information about IIS 7.0, visit the following Microsoft Web site: http://www.iis.net/default.aspx?tabid=1
(http://www.iis.net/default.aspx?tabid=1)
On This PageSYMPTOMS If a malicious user provides a password change request that
is missing an expected delimiter, the algorithm conducts an unbounded search.
This prevents the servicing of additional HTR requests, and can also slow the
overall response of the server. CAUSE The body of the request for a HTR page is assumed to be
valid. RESOLUTIONWindows 2000The original release of this fix is available in Windows 2000 Service Pack 1. For more information about Windows 2000 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:260910
(http://support.microsoft.com/kb/260910/
)
How to obtain the latest Windows 2000 service pack
For more information about
what the updated package fixes, click the following article numbers to view the
articles in the Microsoft Knowledge Base: 267560
(http://support.microsoft.com/kb/267560/
)
Changing the URL in a specific manner may expose contents of a file
267559
(http://support.microsoft.com/kb/267559/
)
MS00-044: GET on HTR file can cause a "Denial of Service" or enable directory browsing
260069
(http://support.microsoft.com/kb/260069/
)
Malformed HTR request returns source code for ASP scripting files
A supported
hotfix is now available from Microsoft, but it is only intended to correct the
problem that is described in this article. Only apply it to systems that are
experiencing this specific problem. This hotfix may receive additional testing.
Therefore, if you are not severely affected by this problem, we recommend that
you wait for the next Windows 2000 service pack that contains this
hotfix.To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site: http://support.microsoft.com/contactus/?ws=support
(http://support.microsoft.com/contactus/?ws=support)
Note In special cases, charges that are ordinarily incurred for
support calls may be canceled if a Microsoft Support Professional determines
that a specific update will resolve your problem. The usual support costs will
apply to additional support questions and issues that do not qualify for the
specific update in question.The following file is available for download from the Microsoft Download Center: Collapse this image  For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base: 119591
(http://support.microsoft.com/kb/119591/
)
How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most
current virus-detection software that was available on the date that the file
was posted. The file is stored on security-enhanced servers that help prevent
any unauthorized changes to the file.
The English version of this fix should have the following file attributes or later: Date Time Version Size File name ----------------------------------------------------- 07/07/2000 03:17p 5.00.2195.2100 46,352 Ism.dll Windows NT 4.0A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows NT 4.0 that contains this fix.To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site: http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS
(http://support.microsoft.com/default.aspx?scid=fh;en-us;cntactms)
NOTE: In special cases, charges that are ordinarily incurred for
support calls may be canceled if a Microsoft Support Professional determines
that a specific update will resolve your problem. The usual support costs will
apply to additional support questions and issues that do not qualify for the
specific update in question.The following file is available for download from the Microsoft Download Center: US English:
x86: Collapse this image
Alpha: Chinese (Simplified): Collapse this image
x86: Chinese (Traditional): Collapse this image x86 Symbols: Collapse this image Alpha: Collapse this image Alpha Symbols: Collapse this image
x86: German: Collapse this image x86 Symbols: Collapse this image Alpha: Collapse this image Alpha Symbols: Collapse this image
x86: Japanese: Collapse this image x86 Symbols: Collapse this image Alpha: Collapse this image Alpha Symbols: Collapse this image
x86: Korean: Collapse this image x86 Symbols: Collapse this image Alpha: Collapse this image Alpha Symbols: Collapse this image
x86: Collapse this image x86 Symbols: Collapse this image Alpha: Collapse this image Alpha Symbols: Collapse this image Microsoft Windows NT Server version 4.0, Terminal Server EditionTo resolve this problem, obtain the Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package (SRP). For more information about the SRP, click the following article number to view the article in the Microsoft Knowledge Base:317636
(http://support.microsoft.com/kb/317636/
)
Windows NT Server 4.0, Terminal Server Edition, Security Rollup
Package
STATUSWindows 2000Microsoft has confirmed that this problem may result in some degree of security vulnerability in Internet Information Services 5.0. This problem was first corrected in Windows 2000 Service Pack 1.Windows NT 4.0Microsoft has confirmed that this problem may result in some degree of security vulnerability in Internet Information Server 4.0.MORE INFORMATION For related information about this problem, please visit
the following Microsoft TechNet Web site: http://www.microsoft.com/technet/security/bulletin/ms00-031.mspx
(http://www.microsoft.com/technet/security/bulletin/ms00-031.mspx)
For more security-related information about Microsoft products,
please visit the following Microsoft Web site: http://www.microsoft.com/security
(http://www.microsoft.com/security/)
For more information about what else is fixed by this update,
click the following article number to view the article in the Microsoft
Knowledge Base: 260069
(http://support.microsoft.com/kb/260069/
)
Malformed HTR request returns source code for ASP scripting files
| Article Translations
|
| United States | Change | | | All Microsoft Sites |
Back to the top
|
