Sign-up

ID

VAR-200003-0003


CVE

CVE-2000-0226


TITLE

Chunked encoding post can consume excessive memory on IIS 4.0 webserver

Trust: 0.8

sources: CERT/CC: VU#25716

DESCRIPTION

IIS 4.0 allows attackers to cause a denial of service by requesting a large buffer in a POST or PUT command which consumes memory, aka the "Chunked Transfer Encoding Buffer Overflow Vulnerability.". Microsoft IIS 4.0, circa March 2000, contained a vulnerability that allowed an intruder to consume unlimited memory on a vulnerable server. Due to unchecked buffer code that handles chunked encoding transfers, remote users are able to consume CPU cycles in Microsoft IIS until the program is rendered completely unstable and eventually crash. This can cause the server to hang indefinitely until the remote user cancels the session or until the IIS service is stopped and restarted

Trust: 2.61

sources: NVD: CVE-2000-0226 // CERT/CC: VU#25716 // JVNDB: JVNDB-2000-000015 // BID: 1066

AFFECTED PRODUCTS

vendor:microsoftmodel:internet information serverscope:eqversion:4.0

Trust: 1.6

vendor:microsoftmodel:iisscope:eqversion:4.0

Trust: 1.1

vendor:microsoftmodel: - scope: - version: -

Trust: 0.8

vendor:microsoftmodel:iis alphascope:eqversion:4.0

Trust: 0.3

sources: CERT/CC: VU#25716 // BID: 1066 // JVNDB: JVNDB-2000-000015 // CNNVD: CNNVD-200003-037 // NVD: CVE-2000-0226

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2000-0226
value: MEDIUM

Trust: 1.0

CARNEGIE MELLON: VU#25716
value: 2.62

Trust: 0.8

NVD: CVE-2000-0226
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200003-037
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2000-0226
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: CERT/CC: VU#25716 // JVNDB: JVNDB-2000-000015 // CNNVD: CNNVD-200003-037 // NVD: CVE-2000-0226

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2000-0226

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200003-037

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200003-037

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2000-000015

PATCH
title:MS00-018url:http://www.microsoft.com/technet/security/bulletin/ms00-018.asp
Trust: 0.8
title:MS00-018url:http://www.microsoft.com/japan/technet/security/Bulletin/ms00-018.mspx
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2000-000015

EXTERNAL IDS
db:BIDid:1066
Trust: 3.5
db:NVDid:CVE-2000-0226
Trust: 2.4
db:CERT/CCid:VU#25716
Trust: 0.8
db:JVNDBid:JVNDB-2000-000015
Trust: 0.8
db:MSid:MS00-018
Trust: 0.6
db:CNNVDid:CNNVD-200003-037
Trust: 0.6
sources:
            
            
            CERT/CC: VU#25716 // 
            
            
            
            BID: 1066 // 
            
            
            
            JVNDB: JVNDB-2000-000015 // 
            
            
            
            CNNVD: CNNVD-200003-037 // 
            
            
            
            NVD: CVE-2000-0226

REFERENCES
url:http://www.securityfocus.com/bid/1066
Trust: 2.4
url:http://www.microsoft.com/technet/security/bulletin/ms00-018.asp
Trust: 1.4
url:http://www.microsoft.com/technet/security/bulletin/fq00-018.asp
Trust: 1.1
url:http://www.microsoft.com/technet/support/kb.asp?id=252693
Trust: 1.1
url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2000/ms00-018
Trust: 1.0
url:http://www.ietf.org/rfc/rfc2616.txt
Trust: 0.8
url:http://online.securityfocus.com/bid/1066
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2000-0226
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2000-0226
Trust: 0.8
sources:
            
            
            CERT/CC: VU#25716 // 
            
            
            
            BID: 1066 // 
            
            
            
            JVNDB: JVNDB-2000-000015 // 
            
            
            
            CNNVD: CNNVD-200003-037 // 
            
            
            
            NVD: CVE-2000-0226

CREDITS
Discovered by Petteri Stenius and publicized in Microsoft Security Bulletin (MS00-018) released on March 20, 2000.
Trust: 0.9
sources:
            
            
            BID: 1066 // 
            
            
            
            CNNVD: CNNVD-200003-037

SOURCES
db:CERT/CCid:VU#25716
db:BIDid:1066
db:JVNDBid:JVNDB-2000-000015
db:CNNVDid:CNNVD-200003-037
db:NVDid:CVE-2000-0226

LAST UPDATE DATE
2024-08-14T14:36:04.532000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#25716date:2002-06-13T00:00:00
db:BIDid:1066date:2000-03-20T00:00:00
db:JVNDBid:JVNDB-2000-000015date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200003-037date:2005-10-12T00:00:00
db:NVDid:CVE-2000-0226date:2018-10-12T21:29:29.497

SOURCES RELEASE DATE
db:CERT/CCid:VU#25716date:2002-06-13T00:00:00
db:BIDid:1066date:2000-03-20T00:00:00
db:JVNDBid:JVNDB-2000-000015date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200003-037date:2000-03-20T00:00:00
db:NVDid:CVE-2000-0226date:2000-03-20T05:00:00