Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Malformed WebDAV request can cause IIS to exhaust CPU resources
Article ID: 291845 - View products that this article applies to.
This article was previously published under Q291845
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
World Wide Web Distributed Authoring and Versioning (WebDAV) is an extension to the HTTP protocol that allows remote authoring and management of Web content. In the Windows 2000 implementation of the protocol, Microsoft Internet Information Services (IIS) 5.0 performs the initial processing of all WebDAV requests, and then forwards the appropriate commands to the WebDAV process. However, a flaw exists in the way WebDAV handles a particular type of malformed request. If a stream of such malformed requests is directed at an affected server, it consumes all CPU availability on the server.
To resolve this problem, obtain the latest service pack for Windows 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
260910The English version of this fix should have the following file attributes or later:
(http://support.microsoft.com/kb/260910/ )How to obtain the latest Windows 2000 service pack
IMPORTANT: If you previously performed the workaround described in article Q241520, the following dialog box may be displayed when you install this fix:
Date Time Version Size File name ----------------------------------------------------- 03/12/2001 10:57a 0.9.3940.20 439,056 Httpext.dll
To bypass this dialog box, follow these steps to re-enable WebDAV:
Copy Error Setup cannot copy the file httpext.dll. Ensure that the location specified below is correct, or change it and insert 'Windows 2000 System Files' in the drive you specify. Copy files from: (drop down box below) c:\%windir%\system32\inetsrv
For more information about how to work around this problem, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/241520/ )How to disable WebDAV for IIS 5.0
Microsoft has confirmed that this is a problem in Microsoft Windows 2000. This problem was first corrected in Windows 2000 Service Pack 2.
For more information on this vulnerability, see the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/ms01-016.mspxFor more information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/249149/ )Installing Microsoft Windows 2000 and Windows 2000 hotfixes
Article ID: 291845 - Last Review: November 21, 2006 - Revision: 3.2