MS00-031: IIS stops servicing HTR requests

This article was previously published under Q260838
This article has been archived. It is offered "as is" and will no longer be updated.
Notice
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:For more information about IIS 7.0, visit the following Microsoft Web site:
Symptoms
If a malicious user provides a password change request that is missing an expected delimiter, the algorithm conducts an unbounded search. This prevents the servicing of additional HTR requests, and can also slow the overall response of the server.
Cause
The body of the request for a HTR page is assumed to be valid.
Resolution

Windows 2000

The original release of this fix is available in Windows 2000 Service Pack 1. For more information about Windows 2000 Service Pack 1, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
For more information about what the updated package fixes, click the following article numbers to view the articles in the Microsoft Knowledge Base:
267560 Changing the URL in a specific manner may expose contents of a file
267559 MS00-044: GET on HTR file can cause a "Denial of Service" or enable directory browsing
260069 Malformed HTR request returns source code for ASP scripting files
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows 2000 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The following file is available for download from the Microsoft Download Center:

DownloadDownload the Q267559_w2k_sp2_x86_en.exe package now.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

The English version of this fix should have the following file attributes or later:
   Date        Time    Version         Size    File name   -----------------------------------------------------   07/07/2000  03:17p  5.00.2195.2100  46,352  Ism.dll				

Windows NT 4.0

A supported fix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Apply it only to computers that are experiencing this specific problem. This fix may receive additional testing. Therefore, if you are not severely affected by this problem, Microsoft recommends that you wait for the next Windows NT 4.0 that contains this fix.

To resolve this problem immediately, download the fix by clicking the download link later in this article or contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:NOTE: In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The following file is available for download from the Microsoft Download Center:

Microsoft Windows NT Server version 4.0, Terminal Server Edition

To resolve this problem, obtain the Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package (SRP). For more information about the SRP, click the following article number to view the article in the Microsoft Knowledge Base:
317636 Windows NT Server 4.0, Terminal Server Edition, Security Rollup Package
Status

Windows 2000

Microsoft has confirmed that this problem may result in some degree of security vulnerability in Internet Information Services 5.0. This problem was first corrected in Windows 2000 Service Pack 1.

Windows NT 4.0

Microsoft has confirmed that this problem may result in some degree of security vulnerability in Internet Information Server 4.0.
More information
For related information about this problem, please visit the following Microsoft TechNet Web site: For more security-related information about Microsoft products, please visit the following Microsoft Web site: For more information about what else is fixed by this update, click the following article number to view the article in the Microsoft Knowledge Base:
260069 Malformed HTR request returns source code for ASP scripting files
security_patch DoS denial of service
Właściwości

Identyfikator artykułu: 260838 — ostatni przegląd: 10/26/2013 11:47:00 — zmiana: 9.0

  • kbnosurvey kbarchive kbqfe kbhotfixserver atdownload kbdownload kbbug kbfix kbgraphxlinkcritical kbsecurity kbwin2000sp1fix KB260838
Opinia