Specially-Malformed Header in GET Request Creates Denial of Service

ID: Q238349

The information in this article applies to:
  • Microsoft Internet Information Server version 4.0
  • Microsoft Site Server version 3.0
  • Microsoft Commercial Internet System versions 2.0, 2.5
  • Microsoft Site Server version 3.0, Commerce Edition

SYMPTOMS

A specially-malformed header in a GET request can create a Denial of Service in the W3 server and use all available memory on the Web server, causing Internet Information Server (IIS) to stop responding to any request.


RESOLUTION

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or the individual software update. For information on obtaining the latest service pack, please go to:

For information on obtaining the individual software update, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:
http://www.microsoft.com/support/supportnet/overview/overview.asp
This hotfix has been posted to the following Internet location as Vdext4i.exe (x86) and Vdext4a.exe (Alpha):
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/hdbrk-fix/


STATUS

Microsoft has confirmed this to be a problem in Internet Information Server 4.0. This problem was first corrected in Windows NT 4.0 Service Pack 6.

Additional query words:

Keywords : kbfix4.00 NT4SP6Fix iissecurity iiswww
Version : winnt:2.0,2.5,3.0,4.0
Platform : winnt
Issue type : kbbug


Last Reviewed: October 28, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.