Microsoft IIS 4.0 Log Avoidance Vulnerability

Some versions of Microsoft's IIS Version 4.0 allow users to retrieve a dynamic Web page (such as those generated by .asp or PERL scripts) regardless of the HTTP method name, even though only the GET method is defined in the protocol for such a purpose.

As a consequence, a potential intruder can issue an HTTP request with a very long method name, such as "AAA..." repeated several thousand times. Since the method name is one of the fields present in the IIS log, this will increase the quantity of information sent to the logging process. In order to prevent a denial of service attack by saturating the log file, this process will refuse to log the request if the information exceeds a fixed limit (one test showed that a request with 10,150 characters was long enough).

If your machine is vulnerable (see the Solution field below), an attacker could use this security hole to bypass the logging mechanism and probe your server for known vulnerable scripts without running any risks of being detected.

This vulnerability only applies to people who installed MS IIS Version 4.0 from an NT option pack, such as people who upgraded from MS IIS Version 3.0, SP3.

This issue, as well as other issues, was fixed in Microsoft IIS Version 4.0 Service Pack 6. You can download this version fromWindows NT 4.0 Service Pack 6a .