ID

VAR-200003-0003


CVE

CVE-2000-0226


TITLE

Chunked encoding post can consume excessive memory on IIS 4.0 webserver

Trust: 0.8

sources: CERT/CC: VU#25716

DESCRIPTION

IIS 4.0 allows attackers to cause a denial of service by requesting a large buffer in a POST or PUT command which consumes memory, aka the "Chunked Transfer Encoding Buffer Overflow Vulnerability.". Microsoft IIS 4.0, circa March 2000, contained a vulnerability that allowed an intruder to consume unlimited memory on a vulnerable server. Due to unchecked buffer code that handles chunked encoding transfers, remote users are able to consume CPU cycles in Microsoft IIS until the program is rendered completely unstable and eventually crash. This can cause the server to hang indefinitely until the remote user cancels the session or until the IIS service is stopped and restarted

Trust: 2.61

sources: NVD: CVE-2000-0226 // CERT/CC: VU#25716 // JVNDB: JVNDB-2000-000015 // BID: 1066

AFFECTED PRODUCTS

vendor:microsoftmodel:internet information serverscope:eqversion:4.0

Trust: 1.6

vendor:microsoftmodel:iisscope:eqversion:4.0

Trust: 1.1

vendor:microsoftmodel: - scope: - version: -

Trust: 0.8

vendor:microsoftmodel:iis alphascope:eqversion:4.0

Trust: 0.3

sources: CERT/CC: VU#25716 // BID: 1066 // JVNDB: JVNDB-2000-000015 // CNNVD: CNNVD-200003-037 // NVD: CVE-2000-0226

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2000-0226
value: MEDIUM

Trust: 1.0

CARNEGIE MELLON: VU#25716
value: 2.62

Trust: 0.8

NVD: CVE-2000-0226
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200003-037
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2000-0226
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: CERT/CC: VU#25716 // JVNDB: JVNDB-2000-000015 // CNNVD: CNNVD-200003-037 // NVD: CVE-2000-0226

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2000-0226

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200003-037

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200003-037

CONFIGURATIONS

sources: JVNDB: JVNDB-2000-000015

PATCH

title:MS00-018url:http://www.microsoft.com/technet/security/bulletin/ms00-018.asp

Trust: 0.8

title:MS00-018url:http://www.microsoft.com/japan/technet/security/Bulletin/ms00-018.mspx

Trust: 0.8

sources: JVNDB: JVNDB-2000-000015

EXTERNAL IDS

db:BIDid:1066

Trust: 3.5

db:NVDid:CVE-2000-0226

Trust: 2.4

db:CERT/CCid:VU#25716

Trust: 0.8

db:JVNDBid:JVNDB-2000-000015

Trust: 0.8

db:MSid:MS00-018

Trust: 0.6

db:CNNVDid:CNNVD-200003-037

Trust: 0.6

sources: CERT/CC: VU#25716 // BID: 1066 // JVNDB: JVNDB-2000-000015 // CNNVD: CNNVD-200003-037 // NVD: CVE-2000-0226

REFERENCES

url:http://www.securityfocus.com/bid/1066

Trust: 3.4

url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-018

Trust: 2.0

url:http://www.microsoft.com/technet/security/bulletin/ms00-018.asp

Trust: 1.4

url:http://www.microsoft.com/technet/security/bulletin/fq00-018.asp

Trust: 1.1

url:http://www.microsoft.com/technet/support/kb.asp?id=252693

Trust: 1.1

url:http://www.ietf.org/rfc/rfc2616.txt

Trust: 0.8

url:http://online.securityfocus.com/bid/1066

Trust: 0.8

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2000-0226

Trust: 0.8

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2000-0226

Trust: 0.8

sources: CERT/CC: VU#25716 // BID: 1066 // JVNDB: JVNDB-2000-000015 // CNNVD: CNNVD-200003-037 // NVD: CVE-2000-0226

CREDITS

Discovered by Petteri Stenius and publicized in Microsoft Security Bulletin (MS00-018) released on March 20, 2000.

Trust: 0.9

sources: BID: 1066 // CNNVD: CNNVD-200003-037

SOURCES

db:CERT/CCid:VU#25716
db:BIDid:1066
db:JVNDBid:JVNDB-2000-000015
db:CNNVDid:CNNVD-200003-037
db:NVDid:CVE-2000-0226

LAST UPDATE DATE

2024-11-22T22:57:22.617000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#25716date:2002-06-13T00:00:00
db:BIDid:1066date:2000-03-20T00:00:00
db:JVNDBid:JVNDB-2000-000015date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200003-037date:2005-10-12T00:00:00
db:NVDid:CVE-2000-0226date:2024-11-20T23:32:00.650

SOURCES RELEASE DATE

db:CERT/CCid:VU#25716date:2002-06-13T00:00:00
db:BIDid:1066date:2000-03-20T00:00:00
db:JVNDBid:JVNDB-2000-000015date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200003-037date:2000-03-20T00:00:00
db:NVDid:CVE-2000-0226date:2000-03-20T05:00:00